CVE-2024-5608: 
Zoho ManageEngine ADAudit Plus vulnerability analysis and mitigation

Zohocorp ManageEngine ADAudit Plus versions below 8121 contain a SQL Injection vulnerability (CVE-2024-5608) in the technician reports feature. The vulnerability was discovered internally and fixed in build 8121 released on August 19, 2024 (Vendor Advisory).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.1 (High) according to NIST, and 8.3 (High) according to ManageEngine. The CVSS vector string is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, indicating that the vulnerability is network accessible, requires low attack complexity and low privileges, needs no user interaction, and can result in high confidentiality and integrity impact (NVD).

This vulnerability could allow an authenticated adversary to execute custom queries and access the database table entries using the vulnerable request in the Technician reports feature (Vendor Advisory).

Users should update their ADAudit Plus instance to build 8121 using the service pack. This build contains the fix for the SQL injection vulnerability (Vendor Advisory).