Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.
The vulnerability results from a lack of proper validation and sanitization of input data passed to SQL queries in the aggregate reports module. An attacker can inject their own SQL code over the network without the need to possess any credentials (PR:N, UI:N). The attack vector is network-based, and the attack complexity is low, making exploitation relatively easy to perform.
Successful exploitation could allow an attacker to perform unauthorized read, modify, or delete data collected in the application database, including potentially sensitive Active Directory audit data. Depending on the database server configuration, it is also possible to gain full control over the system.
Zoho ManageEngine ADAudit Plus should be updated to version 7271 or later, in which the vendor introduced a fix for the described SQL Injection vulnerability. Details available at: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html
Zoho ManageEngine ADAudit Plus in versions up to and including 7250.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HZohocorp Manageengine Adaudit Plus
APPZohocorp7.2< 7.2
Related vulnerabilities
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code exec...
SQL Injection w Zoho ManageEngine ADAudit Plus — eksport raportów
Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads...
Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before bui...