Issues FixedPassword Manager » Issues Fixed

ManageEngine Password Manager Pro

List of vulnerabilities reported and fixed:

SI.No Vulnerability Description Date of Reporting Patch Release (version)
and Public Disclosure
Associated CVE IDs

A SQL injection vulnerability (CVE-2022-47523) in the internal framework that would grant access to all the Password Manager Pro users to the backend database.

November 25, 2022

December 30,2022 (v12210)



A remote code execution vulnerability (CVE-2022-47966) that occurred due to the usage of an outdated third party.

October 25, 2022

November 7,2022 (v12124)



SQL injection vulnerabilities (CVE-2022-43672, CVE-2022-43671) that had occurred due to improper user input and validation were identified in the Resource Audit configuration page and password notifications for user groups.

October 2,2022

October 21,2022 (v12122)



Several SQL injection vulnerabilities (CVE-2022-40300) that had emerged due to improper user input validation were identified in the Search and Resource Group export operations.

August 26,2022

September 10,2022 (v12121)



An authentication bypass vulnerability (CVE-2022-35404) that allowed an adversary to create arbitrary directories and ample small-sized files in the Password Manager Pro server.

May 21,2022

June 24,2022 (v12101)



A remote code execution vulnerability (CVE-2022-35405) that allowed an adversary to exploit the host via XML-RPC.

June 21,2022

June 24,2022 (v12101)


An authentication bypass vulnerability, which occurred in ManageEngine Password Manager Pro builds from 10103 to 12006 due to an improper URI check, allowed an adversary to bypass security checks in seven RESTAPI URLs, gain unauthorized access to the application and invoke certain operations. April 11, 2022 April 14, 2022 (v12007) CVE-2022-29081
An authentication bypass vulnerability, which affected ManageEngine Password Manager Pro versions up to 12001, allowed an adversary to gain unauthorized access to the application and invoke actions through specific application URLs. December 2, 2021 December 4, 2021 (v12002) CVE-2021-44525
Users with access to the Password Manager Pro server, running in a machine with a few policies configured, were able to view the IIS web.config passwords as cleartext in the event log. May 16, 2021 July 7, 2021 (v11200) ZVE-2021-1797
A user enumeration vulnerability. April 14, 2021 July 7, 2021 (v11200) CVE-2021-33617
A vulnerability from version 9.7.0 that permitted the retrieval of masked non-website resource type passwords as clear-text. January 14, 2021 May 4, 2021 (v11104) CVE-2021-31857
(Reported by: Sandeep Saxena)
A security vulnerability allowed unauthorized personnel to pull the Super Admin's email address. March 12, 2021 April 1, 2021 (v11103) ZVE-2021-0870
A Cross-Site Scripting (XSS) issue that occurred in the web app connection page. March 05, 2021 March 12, 2021 (v11102) ZVE-2021-0768
Due to an inadequate CSRF protection to the URL, there was a risk of attackers changing user roles in Password Manager Pro. January 11, 2020 March 2, 2020 (v10403) CVE-2020-9346
(Reported by: Luka Sikic of INFIGO)
SparkGateway, which comes bundled with Password Manager Pro to enable RDP connections to target systems, has been upgraded from v5.0 to v5.6 to support CredSSP protocol v6. This latest version released by Microsoft contains security updates to address a remote code execution vulnerability that existed in the protocol. April 27, 2018 May 8, 2018 (v9601) CVE-2018-0886
Cross-Site Request Forgery vulnerability. This vulnerability could be exploited by Password Manager Pro users while remaining authenticated, provided the user has knowledge about PMP's URL construction pattern and various parameters to craft forged requests. This could be exploited only by forging the URL and not through inputs in the GUI. June 2015 June 2016 (v8500) JVNVU#95113461
(Reported by: CSIRT, Excellium Services)
While viewing old passwords from password history, it was possible for a password user to retrieve password history of unshared passwords by manipulating the request URL. February 23, 2016 April 2016 (v8403) CVE-2016-1159
(Reported by: CSIRT, Excellium Services)
A SQL injection vulnerability identified in advanced search module of PMP has been fixed. June 2015 July 2015 (v8101) CVE-2015-5459
An XML external entity injection identified in XMLRPC API has been fixed May 2014 May 2015 (v8000) -
A SQL injection identified in PMP web application has been fixed. October 27, 2014 November 2014 (v7105) CVE-2014-8499
A clickjacking vulnerability identified in PMP web application has been fixed. October 27, 2014 November 2014 (v7105) -
A filename Denial of Service vulnerability identified in PMP has been fixed. February 2014 September 2014 (v7103) CVE-2014-9372
Fixed a backdoor issue through which SQL injection was possible in PMP. June 2014 June 2014 (v7003) CVE-2014-3997, CVE-2014-3996
Possibility for an XSS vulnerability (which can be triggered during authentication), was identified in PMP v7001. This has been fixed. March 20, 2014 April 2014 (v7002) -
PMP v7001 was identified to be having directory traversal vulnerability. This has been fixed by updating the RDP gateway. March 20, 2014 April 2014 (v7002) -

Password Manager Pro - Enterprise Password Management Software trusted by

Technical Support Request Demo