CVE-2024-0253: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

ManageEngine ADAudit Plus versions 7270 and below contain an authenticated SQL injection vulnerability in the home Graph-Data component. The vulnerability was disclosed on January 12, 2024 and was assigned CVE-2024-0253. This security flaw affects all ADAudit Plus builds below version 7271 (Vendor Advisory).

The vulnerability is classified as a SQL injection flaw (CWE-89) that exists in the Dashboard's Graphical and Summary views. It has received a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and requiring low privileges but no user interaction (NVD).

If successfully exploited, this vulnerability allows an authenticated adversary to execute custom queries and access the database table entries using the vulnerable request. The high CVSS impact scores for confidentiality, integrity, and availability (all rated as High) indicate potential comprehensive impact on the system (Vendor Advisory).

ManageEngine has released version 7271 to address this vulnerability. Organizations are advised to update their ADAudit Plus instance to build 7271 using the service pack to remediate this security issue (Vendor Advisory).