Zohocorp ManageEngine Exchange Reporter Plus Vulnerable to Authenticated SQL Injection
CVE-2024-38871

8.8HIGH

Key Information:

Vendor: Zohocorp
Status: Manageengine Exchange Reporter Plus
Vendor: CVE Published:; 26 July 2024

What is CVE-2024-38871?

The vulnerability in Zohocorp's ManageEngine Exchange Reporter Plus, specifically present in versions 5717 and earlier, allows for an authenticated SQL injection within the reports module. This flaw can be exploited by authenticated users to execute arbitrary SQL commands, which may lead to unauthorized access to sensitive data within the application's database. Without appropriate mitigation measures, this security issue poses a significant risk to the confidentiality and integrity of the information processed by the affected product.

References

https://www.manageengine.com/products/exchange-reports/ad...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 26, 2024