CVE-2024-6204: 
Zoho ManageEngine Exchange Reporter Plus vulnerability analysis and mitigation

Zohocorp ManageEngine Exchange Reporter Plus versions before build 5715 were found to contain an authenticated SQL injection vulnerability in the reports module. The vulnerability was discovered by researcher minhgalaxy and was assigned CVE-2024-6204. The issue was fixed on January 24, 2024, with the release of build 5715 (Vendor Advisory).

The vulnerability is classified as SQL Injection (CWE-89) with a CVSS v3.1 base score of 8.1 (High) according to NVD's assessment. The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with high impacts on confidentiality (C:H) and integrity (I:H), but no impact on availability (A:N) (NVD).

The vulnerability allows an authenticated attacker to execute custom queries and access entries in the database table through the vulnerable request in the Reports tab. This could potentially lead to unauthorized access to sensitive information stored in the database (Vendor Advisory).

ManageEngine strongly advises customers to update Exchange Reporter Plus to build 5715 or later immediately. Users can download the latest service pack from the vendor's website and apply it to their existing product installation. For assistance with the update process, users can contact product support at support@exchangereporterplus.com (Vendor Advisory).