- **Vulnerability**: ManageEngine Password Manager Pro 8.1 SQL Injection vulnerability - **Author**: Blazej Adamczyk - **Date**: 2015-06-30 - **Vendor**: ManageEngine - **Link**: [Link to Download Site](https://www.manageengine.com/products/passwordmanagerpro/download.html) - **Version Affected**: 8.1 and below - **Description**: An authenticated user (including guest users) can execute arbitrary SQL code using a forged request to the SQLAdvancedALSearchResult.cc. - **Details**: SQL injection issue in the AdvanceSearch.class of AdventNetPassTrix.jar due to improper escaping when more than one condition is specified in the advanced search. - **Example URL**: [Broken URL](https://localhost:7272/STATE_ID/1425543888647/SQLAdvancedALSearchResult.cc?ANDOR=***HERE_INJECT***&condition_1=Ptrx_Resource@RESOURCENAME$operator_1=CONTAINS&value_1=asd&condition_2=Ptrx_Resource@RESOURCENAME&operator_2=CONTAINS&value_2=asd2&FLAG=TRUE&COUNT=-2&USERID=***USERID***&ADVSEARCH=true&SUBREQUEST=XMLHTTP) - **Contact**: passwordmanagerpro-support @ manageengine.com