Zoho ManageEngine ADAudit Plus through 7250 is vulnerable to SQL Injection in the report export option.
An attacker can inject malicious SQL code through parameters related to the report export function in the application. Due to the lack of validation and proper query parameterization, the entered data goes directly to the database engine. The attack vector is network-based, requires no privileges or user interaction, making this vulnerability particularly dangerous.
Successful exploitation of this vulnerability may allow an attacker to perform unauthorized read, modification, or deletion of data from the application database, and depending on the environment configuration, also to execute commands at the database server level.
Zoho ManageEngine ADAudit Plus should be updated to version 7271 or later, in which the vendor introduced fixes described at: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html
Zoho ManageEngine ADAudit Plus versions up to and including 7250.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZohocorp Manageengine Adaudit Plus
APPZohocorp7.2< 7.2
Related vulnerabilities
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code exec...
SQL Injection w Zoho ManageEngine ADAudit Plus — funkcja raportów agregowanych
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads...
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before bui...