| SI.No | Vulnerability Description | Date of Reporting | Patch Release (version) and Public Disclosure | Associated CVE IDs |
|---|---|---|---|---|
|
A reflected cross-site scripting vulnerability was reported in PAM360. This issue has been fixed and no longer exists in the latest version. |
April 24,2024 |
April 26,2024 (v6611) |
||
|
An authorization vulnerability was discovered in PAM360 by the internal security team. We have fixed this issue, and the vulnerability no longer exists in the fixed version. |
April 09,2024 |
April 10,2024 (v6601) |
||
|
A SQL injection vulnerability (CVE-2022-47523) in the internal framework, which would have allowed all PAM360 users to access the backend database. |
November 25,2022 |
December 28,2022 (v5801) |
||
|
A remote code execution vulnerability (CVE-2022-47966) that occurred due to the usage of an outdated third party. |
October 25,2022 |
November 7,2022 (v5713) |
||
|
SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) that had occurred due to improper user input and validation were identified in the Resource Audit configuration page and password notifications for user groups. |
October 2,2022 |
October 22,2022 (v5711) |
||
|
Several SQL injection vulnerabilities (CVE-2022-40300) that had emerged due to improper user input validation were identified in the Search and Resource Group export operations. |
August 26,2022 |
September 11,2022 (v5600) |
||
|
An authentication bypass vulnerability (CVE-2022-35404) that allowed an adversary to create arbitrary directories and ample small-sized files in the PAM360 server. |
May 21,2022 |
June 23,2022 (v5510) |
||
|
A remote code execution vulnerability (CVE-2022-35405) that allowed an adversary to exploit the host via XML-RPC. |
June 21,2022 |
June 23,2022 (v5510) |
||
|
An authentication bypass vulnerability, which occurred in ManageEngine PAM360 builds from 4001 to 5400 due to an improper URI check, allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application and invoke certain operations. |
April 12, 2022 |
April 15, 2022 (v5401) |
||
|
An authentication bypass vulnerability that allows an adversary to gain unauthorized access to the application and invoke actions through specific application URLs has been fixed. It affects ManageEngine Access Manager Plus versions up to 4202. |
December 04, 2021 |
December 04, 2021 (v5303) |
||
|
A token leakage issue in the script provided for Ansible plugin integration in PAM360, where the token got printed in the URL variable and could be seen by any ordinary user, has been fixed by removing the prints and providing an argument to validate the certificate. |
November 19, 2021 |
November 25, 2021 |
CVE-2022-26145 |