CVE-2022-40300: SQL Injection Vulnerability in Zoho Products
Enterprise software maker Zoho Corp said it has released patches for a high vulnerability affecting Password Manager Pro, PAM360, and Access Manager Plus.
Tracked as CVE-2022-40300 and rated high severity, the newly addressed security bug is a SQL injection issue that could allow a remote attacker to interfere with the queries that an application makes to its database. A remote attacker could send specially-crafted SQL statements, which could allow the attacker to execute custom queries and access the database table entries using the vulnerable request.
Zoho provides network, data center, desktop, mobile device, and security solutions to more than 50 million customers, including three out of every five Fortune 500 companies.
“These vulnerabilities can allow an adversary to execute custom queries and access the database table entries using the vulnerable request,” Zoho explains.
CVE-2022-40300 affects the below Password Manager Pro, PAM360, and Access Manager Plus version
|Product Name||Affected Version(s)||Fixed Version(s)||Fixed On|
|Password Manager Pro||12120 and below||12121||10-09-2022|
|PAM360||5550 and below||5600||11-09-2022|
|Access Manager Plus||4304 and below||4305||10-09-2022|
Zoho made no mention of the vulnerability being exploited in malicious attacks. It’s recommended that users apply the updates as soon as possible to mitigate any potential threats.