CVE-2023-48793: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

CVE-2023-48793 is a SQL injection vulnerability affecting Zoho ManageEngine ADAudit Plus through version 7250. The vulnerability specifically exists in the aggregate report feature of the application. This security issue was discovered and reported by Nhien Pham (aka nhienit) from bl4ckh0l3 team at GalaxyOne, with the fix being released on January 12, 2024 (Vendor Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. It is classified as CWE-89 (SQL Injection), allowing for improper neutralization of special elements used in SQL commands (NVD).

When exploited, this vulnerability can allow an authenticated adversary to execute custom queries and access the database table entries using the vulnerable request in the Dashboard's Graphical and Summary views, Summary Report exports, and file server configuration (Vendor Advisory).

The vulnerability has been fixed in ADAudit Plus build 7271. Organizations using affected versions are advised to update their ADAudit Plus instance to the latest build using the service pack (Vendor Advisory).