CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2023-48793

CVSS 9.8v3.1pub. 2024-02-02upd. 2025-06-11

Zoho ManageEngine ADAudit Plus through 7250 allows SQL Injection in the aggregate report feature.

🤖 AI Analysis
How it works

The vulnerability results from a lack of proper validation and sanitization of input data passed to SQL queries in the aggregate reports module. An attacker can inject their own SQL code over the network without the need to possess any credentials (PR:N, UI:N). The attack vector is network-based, and the attack complexity is low, making exploitation relatively easy to perform.

Impact

Successful exploitation could allow an attacker to perform unauthorized read, modify, or delete data collected in the application database, including potentially sensitive Active Directory audit data. Depending on the database server configuration, it is also possible to gain full control over the system.

Mitigation & patch

Zoho ManageEngine ADAudit Plus should be updated to version 7271 or later, in which the vendor introduced a fix for the described SQL Injection vulnerability. Details available at: https://www.manageengine.com/products/active-directory-audit/sqlfix-7271.html

Who is affected

Zoho ManageEngine ADAudit Plus in versions up to and including 7250.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Zohocorp Manageengine Adaudit Plus

    APP
    Zohocorp
    7.2< 7.2
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
SQLi
CWE
References

Related vulnerabilities

CVE-2022-47966CRITICAL9.8⚠ KEVten sam produkt

Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code exec...

CVE-2023-48792CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Zoho ManageEngine ADAudit Plus — eksport raportów

CVE-2022-28219CRITICAL9.8ten sam produkt

Cewolf in Zoho ManageEngine ADAudit Plus before 7060 is vulnerable to an unauthenticated XXE attack that leads...

CVE-2021-42847CRITICAL9.8ten sam produkt

Zoho ManageEngine ADAudit Plus before 7006 allows attackers to write to, and execute, arbitrary files.

CVE-2020-24786CRITICAL9.8ten sam produkt

An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before bui...