PT-2024-8781 · Zohocorp · Zoho Manageengine Adaudit Plus
Nhien Pham
·
Published
2024-06-14
·
Updated
2024-08-16
·
CVE-2024-5487
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Zohocorp ManageEngine ADAudit Plus versions below 8110
Description:
The issue is related to a lack of protection in the SQL query structure, which can be exploited to execute custom queries and gain access to database table records. This is an authenticated SQL Injection vulnerability in the attack surface analyzer's export option.
Recommendations:
For versions below 8110, update to a version above 8110 to resolve the issue.
As a temporary workaround, consider restricting access to the attack surface analyzer's export option until a patch is available.
Avoid using the export option in the attack surface analyzer until the issue is resolved.
At the moment, there is no information about additional mitigation measures.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Adaudit Plus