CVE-2023-2291

Published: Apr 26, 2023Modified: Feb 3, 2025

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Static credentials exist in the PostgreSQL data used in ManageEngine Access Manager Plus (AMP) build 4309, ManageEngine Password Manager Pro, and ManageEngine PAM360. These credentials could allow a malicious actor to modify configuration data that would escalate their permissions from that of a low-privileged user to an Administrative user.

Affected (3)

Products: Zohocorp: Manageengine Access Manager Plus, Manageengine Pam360, Manageengine Password Manager Pro

Zohocorp

3 products

Manageengine Access Manager Plus

Manageengine Pam360

Manageengine Password Manager Pro

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Zohocorp Manageengine Access Manager Plus	Version 4.3 build4309
Zohocorp Manageengine Pam360	All versions
Zohocorp Manageengine Password Manager Pro	All versions

Related CWEs

CWE-798

Use of Hard-coded Credentials

The product contains hard-coded credentials, such as a password or cryptographic key.

References (2)

https://tenable.com/security/research/tra-2023-16

Source: vulnreport@tenable.com

ExploitThird Party Advisory

https://tenable.com/security/research/tra-2023-16

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.