← Back

CVE-2022-29081

nvd nistnuclei
Published: Apr 28, 2022Modified: Nov 6, 2025

JSON object

Loading...
9.8
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitability: 3.9 / Impact: 5.9
Source: NVD

Description

Zoho ManageEngine Access Manager Plus before 4302, Password Manager Pro before 12007, and PAM360 before 5401 are vulnerable to access-control bypass on a few Rest API URLs (for SSOutAction. SSLAction. LicenseMgr. GetProductDetails. GetDashboard. FetchEvents. and Synchronize) via the ../RestAPI substring.

Affected (50)

Zohocorp
3 products
Manageengine Access Manager Plus
Manageengine Pam360
Manageengine Password Manager Pro
Configuration A
50 vulnerable
Vulnerable SoftwareAffected Versions
Zohocorp
Manageengine Access Manager Plus
Version 4.0 build4000
Manageengine Access Manager Plus
Version 4.1 build4100
Manageengine Access Manager Plus
Version 4.1 build4101
Manageengine Access Manager Plus
Version 4.2 build4200
Manageengine Access Manager Plus
Version 4.2 build4201
Manageengine Access Manager Plus
Version 4.2 build4202
Manageengine Access Manager Plus
Version 4.2 build4203
Manageengine Access Manager Plus
Version 4.3 build4300
Manageengine Access Manager Plus
Version 4.3 build4301
Zohocorp
Manageengine Pam360
Version 4.0 build4001
Manageengine Pam360
Version 4.0 build4002
Manageengine Pam360
Version 4.1 build4100
Manageengine Pam360
Version 4.1 build4101
Manageengine Pam360
Version 4.5 build4500
Manageengine Pam360
Version 4.5 build4501
Manageengine Pam360
Version 5.0 build5000
Manageengine Pam360
Version 5.0 build5001
Manageengine Pam360
Version 5.0 build5002
Manageengine Pam360
Version 5.0 build5003
Manageengine Pam360
Version 5.0 build5004
Manageengine Pam360
Version 5.1 build5100
Manageengine Pam360
Version 5.2 build5200
Manageengine Pam360
Version 5.3 build5300
Manageengine Pam360
Version 5.3 build5301
Manageengine Pam360
Version 5.3 build5302
Manageengine Pam360
Version 5.4 build5400
Zohocorp
Manageengine Password Manager Pro
Version 10.1 build10103
Manageengine Password Manager Pro
Version 10.1 build10104
Manageengine Password Manager Pro
Version 10.2 build10200
Manageengine Password Manager Pro
Version 10.3 build10300
Manageengine Password Manager Pro
Version 10.3 build10301
Manageengine Password Manager Pro
Version 10.3 build10302
Manageengine Password Manager Pro
Version 10.4 build10400
Manageengine Password Manager Pro
Version 10.4 build10401
Manageengine Password Manager Pro
Version 10.4 build10402
Manageengine Password Manager Pro
Version 11.1 11104
Manageengine Password Manager Pro
Version 11.1 build_11101
Manageengine Password Manager Pro
Version 11.1 build_11102
Manageengine Password Manager Pro
Version 11.1 build_11103
Manageengine Password Manager Pro
Version 11.2 build11200
Manageengine Password Manager Pro
Version 11.2 build11201
Manageengine Password Manager Pro
Version 11.3 build11300
Manageengine Password Manager Pro
Version 11.3 build11301
Manageengine Password Manager Pro
Version 12.0 build12000
Manageengine Password Manager Pro
Version 12.0 build12001
Manageengine Password Manager Pro
Version 12.0 build12002
Manageengine Password Manager Pro
Version 12.0 build12003
Manageengine Password Manager Pro
Version 12.0 build12004
Manageengine Password Manager Pro
Version 12.0 build12005
Manageengine Password Manager Pro
Version 12.0 build12006

Related CWEs

CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

References (4)

Source: cve@mitre.org
Vendor Advisory
Source: cve@mitre.org
ExploitThird Party Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
Vendor Advisory
Source: af854a3a-2127-422b-91ae-364da2661108
ExploitThird Party Advisory

Timeline

No history available yet.