CVE-2024-21775: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

CVE-2024-21775 is an authenticated SQL injection vulnerability affecting Zoho ManageEngine Exchange Reporter Plus versions 5714 and below, specifically in the report exporting feature. The vulnerability was discovered by minhgalaxy and was disclosed on February 16, 2024, with a fix released on January 24, 2024 in build 5715 (Vendor Advisory).

The vulnerability is classified as SQL injection (CWE-89) with a CVSS v3.1 base score of 8.8 (HIGH) according to NIST's assessment, while ManageEngine rates it at 8.3 (HIGH). The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating that the vulnerability is network accessible, requires low attack complexity, needs low privileges, requires no user interaction, and has high impacts on confidentiality, integrity, and availability (NVD).

A successful exploitation of this vulnerability could result in the attacker gaining administrative rights to the product database, potentially compromising sensitive information and system integrity (Vendor Advisory).

ManageEngine has released a fix in build 5715. Users are strongly advised to update Exchange Reporter Plus to the latest build immediately. To check the current version, users can log in to the product as an administrator and click the License link in the top-right corner of the screen (Vendor Advisory).