CVE-2024-38872: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

Zohocorp ManageEngine Exchange Reporter Plus versions 5717 and below contain an authenticated SQL injection vulnerability in the monitoring module. The vulnerability was discovered and disclosed in July 2024, with a fix released on July 15, 2024 in build 5718 (Vendor Advisory).

The vulnerability is classified as SQL Injection (CWE-89) with a high severity rating. The National Vulnerability Database (NVD) assigned a CVSS v3.1 base score of 8.8 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while ManageEngine's assessment resulted in a CVSS score of 8.3 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L (NVD).

This vulnerability allows an authenticated adversary to execute custom queries and access entries in the database table using the vulnerable request in the Monitoring tab (Vendor Advisory).

ManageEngine has released build 5718 to address this vulnerability. Users are strongly advised to update their Exchange Reporter Plus installation immediately by downloading and applying the latest service pack. The update can be obtained from the ManageEngine website, and users requiring assistance with the update process can contact product support at support@exchangereporterplus.com (Vendor Advisory).