CVE-2024-0269: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

ManageEngine ADAudit Plus versions 7270 and below contain an Authenticated SQL injection vulnerability in the File-Summary DrillDown feature. The vulnerability was discovered and disclosed in January 2024, with a fix released in version 7271 (Vendor Advisory).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.8 (HIGH) according to NIST's assessment, characterized by the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. ManageEngine's own assessment rates it slightly lower at 8.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (NVD).

The vulnerability allows an authenticated adversary to execute custom queries and access database table entries using vulnerable requests. This could potentially lead to unauthorized access to sensitive data, data manipulation, and system compromise (Vendor Advisory).

The vulnerability has been fixed in ADAudit Plus build 7271, released on January 12, 2024. Users are advised to update their ADAudit Plus instance to this latest build using the service pack (Vendor Advisory).

The vulnerability was reported by security researcher minhgalaxy, among several other SQL injection vulnerabilities discovered in the same product (Vendor Advisory).