Zoho ManageEngine Exchange Reporter Plus Vulnerable to Authenticated SQL Injection
CVE-2024-21775

8.8HIGH

Key Information:

Vendor: Manageengine
Status: Exchange Reporter Plus
Vendor: CVE Published:; 16 February 2024

Summary

Zoho ManageEngine Exchange Reporter Plus versions up to 5714 are susceptible to an authenticated SQL injection vulnerability concerning its report exporting feature. This weakness could allow an attacker with valid credentials to exploit the system and execute arbitrary SQL commands. As a result, sensitive data may be exposed or manipulated, leading to potential data breaches and unauthorized access. It is crucial for users to apply necessary patches and updates to safeguard their systems against this type of attack.

Affected Version(s)

Exchange Reporter Plus Windows 0

References

https://www.manageengine.com/products/exchange-reports/ad...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 16, 2024
Vulnerability Reserved
Jan 11, 2024

Collectors

NVD DatabaseMitre Database