PT-2024-8782 · Zohocorp · Zoho Manageengine Adaudit Plus

Nhien Pham

Published

2024-06-14

Updated

2024-08-16

CVE-2024-5527

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: Zohocorp ManageEngine ADAudit Plus versions below 8110

Description: The issue is related to the file auditing configuration, where the lack of protection of the SQL query structure allows for authenticated SQL injection. This can enable a remote attacker to execute custom queries and gain access to database table records.

Recommendations: For versions below 8110, update to a version 8110 or later to resolve the authenticated SQL injection issue in the file auditing configuration. As a temporary workaround, consider restricting access to the file auditing configuration to minimize the risk of exploitation.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-89

Related Identifiers

BDU:2024-10401

CVE-2024-5527

Affected Products

Zoho Manageengine Adaudit Plus

PT-2024-8782 · Zohocorp · Zoho Manageengine Adaudit Plus

CVE-2024-5527

Weakness Enumeration

Related Identifiers

Affected Products

References · 11