SQL Injection in ManageEngine Privileged Access Management [CVE-2022-40300]

We discussed this vulnerability during Episode 171 on 28 November 2022

An SQLi in Password Manager Pro, which is bundled with Manage Engine’s Privileged Access Management 360 (PAM360) and Access Manager Plus. In the password manager, there’s a concept of “resources” which can be added or edited, which internally submits a multipart form request to the AddResourceType.ve endpoint. The resource names are used by the AutoLogonHelperUtil class to construct partial SQL statements, but they’re not sanitized against SQLi. It’s possible to add or edit a resource with a malicious SQL payload, and click something that triggers that resource name to be used in a query to get SQL code exec, via something like the connections menu. This would require authentication to exploit.