CVE-2024-5490: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

Zohocorp ManageEngine ADAudit Plus versions below 8000 are affected by an authenticated SQL injection vulnerability in the aggregate reports option. The vulnerability was discovered and fixed in build 8000, released on March 01, 2024. This security issue has been assigned CVE-2024-5490 and carries a high severity rating with a CVSS v3.1 base score of 8.8 (NVD CVSS).

The vulnerability is classified as an SQL injection (CWE-89) that affects the aggregate reports functionality in ManageEngine ADAudit Plus. The issue requires authentication to exploit, indicating that an attacker would need valid credentials to access the vulnerable component. The vulnerability has received a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and high impact potential across confidentiality, integrity, and availability (NVD CVSS).

The vulnerability allows an authenticated adversary to execute custom queries and access database table entries through the vulnerable request. This could potentially lead to unauthorized access to sensitive information stored in the database, manipulation of data, and compromise of the system's integrity (ManageEngine Advisory).

ManageEngine has released a fix for this vulnerability in build 8000. Organizations using affected versions of ADAudit Plus should immediately upgrade their installations to build 8000 using the service pack to remediate this security issue (ManageEngine Advisory).

The vulnerability was reported by security researcher minhgalaxy, demonstrating active security research engagement with ManageEngine products (ManageEngine Advisory).