CVE-2021-37422: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2021-37422 is a SQL injection vulnerability discovered in Zoho ManageEngine ADSelfService Plus versions 6111 and prior. The vulnerability was identified in July 2021 and affects the database linking functionality of the application. The issue specifically occurs when password synchronization is enabled for Oracle Database, where usernames are processed without proper sanitization during account linking between Active Directory and Oracle Database (ManageEngine Advisory).

The vulnerability is classified as a SQL injection flaw (CWE-89) where usernames provided during account linking are inserted into SQL queries without proper sanitization before being sent to the linked Oracle Database. This makes the application vulnerable to Boolean-based SQL injection attacks. The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its severe nature (NVD).

If successfully exploited, this vulnerability could lead to unauthorized exposure of data from ADSelfService Plus. The high CVSS score indicates potential for complete compromise of system confidentiality, integrity, and availability through remote exploitation (ManageEngine Advisory).

Zoho has addressed this vulnerability in ADSelfService Plus build 6112. Organizations using affected versions are strongly advised to update to build 6112 or later using the service pack to remediate this security issue (ManageEngine Advisory).