| SI.No | Vulnerability Description | Date of Reporting | Patch Release (version) and Public Disclosure |
Associated CVE IDs |
|---|---|---|---|---|
|
A SQL injection vulnerability (CVE-2022-47523) in the internal framework that would grant access to all the Password Manager Pro users to the backend database. |
November 25, 2022 |
December 30,2022 (v12210) |
||
|
A remote code execution vulnerability (CVE-2022-47966) that occurred due to the usage of an outdated third party. |
October 25, 2022 |
November 7,2022 (v12124) |
||
|
SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) that had occurred due to improper user input and validation were identified in the Resource Audit configuration page and password notifications for user groups. |
October 2,2022 |
October 21,2022 (v12122) |
||
|
Several SQL injection vulnerabilities (CVE-2022-40300) that had emerged due to improper user input validation were identified in the Search and Resource Group export operations. |
August 26,2022 |
September 10,2022 (v12121) |
||
|
An authentication bypass vulnerability (CVE-2022-35404) that allowed an adversary to create arbitrary directories and ample small-sized files in the Password Manager Pro server. |
May 21,2022 |
June 24,2022 (v12101) |
||
|
A remote code execution vulnerability (CVE-2022-35405) that allowed an adversary to exploit the host via XML-RPC. |
June 21,2022 |
June 24,2022 (v12101) |
||
| An authentication bypass vulnerability, which occurred in ManageEngine Password Manager Pro builds from 10103 to 12006 due to an improper URI check, allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application and invoke certain operations. | April 11, 2022 | April 14, 2022 (v12007) | CVE-2022-29081 | |
| An authentication bypass vulnerability, which affected ManageEngine Password Manager Pro versions up to 12001, allowed an adversary to gain unauthorized access to the application and invoke actions through specific application URLs. | December 2, 2021 | December 4, 2021 (v12002) | CVE-2021-44525 |
|
| Users with access to the Password Manager Pro server, running in a machine with a few policies configured, were able to view the IIS web.config passwords as cleartext in the event log. | May 16, 2021 | July 7, 2021 (v11200) | ZVE-2021-1797 |
|
| A user enumeration vulnerability. | April 14, 2021 | July 7, 2021 (v11200) | CVE-2021-33617 | |
| A vulnerability from version 9.7.0 that permitted the retrieval of masked non-website resource type passwords as clear-text. | January 14, 2021 | May 4, 2021 (v11104) | CVE-2021-31857 (Reported by: Sandeep Saxena) |
|
| A security vulnerability allowed unauthorized personnel to pull the Super Admin's email address. | March 12, 2021 | April 1, 2021 (v11103) | ZVE-2021-0870 | |
| A Cross-Site Scripting (XSS) issue that occurred in the web app connection page. | March 05, 2021 | March 12, 2021 (v11102) | ZVE-2021-0768 | |
| Due to an inadequate CSRF protection to the URL, there was a risk of attackers changing user roles in Password Manager Pro. | January 11, 2020 | March 2, 2020 (v10403) | CVE-2020-9346 (Reported by: Luka Sikic of INFIGO) |
|
| SparkGateway, which comes bundled with Password Manager Pro to enable RDP connections to target systems, has been upgraded from v5.0 to v5.6 to support CredSSP protocol v6. This latest version released by Microsoft contains security updates to address a remote code execution vulnerability that existed in the protocol. | April 27, 2018 | May 8, 2018 (v9601) | CVE-2018-0886 |
|
| Cross-Site Request Forgery vulnerability. This vulnerability could be exploited by Password Manager Pro users while remaining authenticated, provided the user has knowledge about PMP's URL construction pattern and various parameters to craft forged requests. This could be exploited only by forging the URL and not through inputs in the GUI. | June 2015 | June 2016 (v8500) | JVNVU#95113461 CVE-2016-1161 (Reported by: CSIRT, Excellium Services) |
|
| While viewing old passwords from password history, it was possible for a password user to retrieve password history of unshared passwords by manipulating the request URL. | February 23, 2016 | April 2016 (v8403) | CVE-2016-1159 (Reported by: CSIRT, Excellium Services) |
|
| A SQL injection vulnerability identified in advanced search module of PMP has been fixed. | June 2015 | July 2015 (v8101) | CVE-2015-5459 | |
| An XML external entity injection identified in XMLRPC API has been fixed | May 2014 | May 2015 (v8000) | - | |
| A SQL injection identified in PMP web application has been fixed. | October 27, 2014 | November 2014 (v7105) | CVE-2014-8499 | |
| A clickjacking vulnerability identified in PMP web application has been fixed. | October 27, 2014 | November 2014 (v7105) | - | |
| A filename Denial of Service vulnerability identified in PMP has been fixed. | February 2014 | September 2014 (v7103) | CVE-2014-9372 | |
| Fixed a backdoor issue through which SQL injection was possible in PMP. | June 2014 | June 2014 (v7003) | CVE-2014-3997, CVE-2014-3996 | |
| Possibility for an XSS vulnerability (which can be triggered during authentication), was identified in PMP v7001. This has been fixed. | March 20, 2014 | April 2014 (v7002) | - | |
| PMP v7001 was identified to be having directory traversal vulnerability. This has been fixed by updating the RDP gateway. | March 20, 2014 | April 2014 (v7002) | - |
SSL & SSH Key Management