SQL Injection Vulnerability in Technician Reports Option
CVE-2024-36485

8.8HIGH

Key Information:

Vendor: Manageengine
Status: Adaudit Plus
Vendor: CVE Published:; 4 November 2024

Summary

A SQL Injection vulnerability exists in the Technician reports feature of ManageEngine ADAudit Plus versions prior to 8121. This flaw allows unauthorized users to execute arbitrary SQL commands, which could lead to unauthorized access to sensitive data, modification of the database, or even full system compromise. Organizations utilizing affected versions are strongly advised to apply any available patches or updates to mitigate potential risks.

Affected Version(s)

ADAudit Plus 0 < 8121

References

https://www.manageengine.com/products/active-directory-au...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 4, 2024
Vulnerability Reserved
Jul 16, 2024