CVE-2024-38871: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below contain an authenticated SQL injection vulnerability in the reports module. The vulnerability was discovered by researcher minhgalaxy and was fixed in build 5718, released on July 15, 2024 (Vendor Advisory).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.8 (High) according to NIST's assessment, with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The vendor's own assessment rates it slightly lower at 8.3 with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (NVD).

This vulnerability allows an authenticated adversary to execute custom queries and access entries in the database table using the vulnerable request in the Reports tab (Vendor Advisory).

Users are strongly advised to update Exchange Reporter Plus to build 5718 or later immediately. The update can be applied by downloading the latest service pack from the vendor's website and following the provided installation instructions. Users requiring assistance with the update can contact product support at support@exchangereporterplus.com (Vendor Advisory).