Vulnerability Details : CVE-2015-5459
SQL injection vulnerability in the AdvanceSearch.class in AdventNetPassTrix.jar in ManageEngine Password Manager Pro (PMP) before 8.1 Build 8101 allows remote authenticated users to execute arbitrary SQL commands via the ANDOR parameter, as demonstrated by a request to STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc.
Vulnerability category: Sql Injection
Exploit prediction scoring system (EPSS) score for CVE-2015-5459
Probability of exploitation activity in the next 30 days: 0.84%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 80 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2015-5459
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|
|
6.5
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:P/A:P |
8.0
|
6.4
|
[email protected] |
CWE ids for CVE-2015-5459
-
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.Assigned by: [email protected] (Primary)
References for CVE-2015-5459
-
https://www.manageengine.com/products/passwordmanagerpro/release-notes.html
Patch;Vendor Advisory
-
http://www.securityfocus.com/bid/75692
-
http://seclists.org/fulldisclosure/2015/Jul/19
-
http://packetstormsecurity.com/files/132511/ManageEngine-Password-Manager-Pro-8.1-SQL-Injection.html
Exploit
-
http://seclists.org/fulldisclosure/2015/Jun/104
Exploit
Products affected by CVE-2015-5459
- cpe:2.3:a:zohocorp:manageengine_password_manager_pro:*:*:*:*:*:*:*:*