CVE-2024-9459

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Nov 5, 2024 / Updated: 14d ago

010
CVSS 8.8EPSS 0.04%High
CVE info copied to clipboard

Summary

Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in the reports module. This vulnerability is classified as an improper neutralization of special elements used in an SQL command, falling under the category CWE-89.

Impact

This vulnerability has a high impact on both confidentiality and integrity, with potential consequences including unauthorized access to sensitive data, modification of database contents, and possible execution of administrative operations on the database. In severe cases, it could lead to command execution on the underlying operating system. The vulnerability can be exploited over the network with low attack complexity and requires low privileges. No user interaction is needed for exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

While a specific patch is not explicitly mentioned, the vulnerability affects versions 5718 and prior of ManageEngine Exchange Reporter Plus. It's likely that a patched version (5719 or later) may be available or forthcoming.

Mitigation

1. Upgrade ManageEngine Exchange Reporter Plus to a version newer than 5718 if available. 2. Implement strong input validation and parameterized queries in the reports module. 3. Apply the principle of least privilege to database accounts used by the application. 4. Use web application firewalls (WAF) to detect and block SQL injection attempts. 5. Regularly audit and monitor database activities for any suspicious queries or unauthorized access attempts. 6. If upgrading is not immediately possible, consider restricting network access to the Exchange Reporter Plus application.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

CVE Assignment

NVD published the first details for CVE-2024-9459

Nov 5, 2024 at 6:15 AM
CVSS

A CVSS base score of 8.3 has been assigned.

Nov 5, 2024 at 6:20 AM / nvd
First Article

Feedly found the first article mentioning CVE-2024-9459. See article

Nov 5, 2024 at 6:20 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Nov 5, 2024 at 6:20 AM
EPSS

EPSS Score was set to: 0.04% (Percentile: 10%)

Nov 6, 2024 at 10:26 AM
CVSS

A CVSS base score of 8.8 has been assigned.

Nov 6, 2024 at 3:30 PM / nvd
Static CVE Timeline Graph

Affected Systems

Zohocorp/manageengine_exchange_reporter_plus
+null more

Patches

www.manageengine.com
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

News

Security Bulletin 06 Nov 2024 - Cyber Security Agency of Singapore
For those vulnerabilities without assigned CVSS scores, please visit NVD for the updated CVSS vulnerability entries. CRITICAL VULNERABILITIES . CVE ...
CVE-2024-9459
High Severity Description Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module. Read more at https://www.tenable.com/cve/CVE-2024-9459
CVE-2024-9459 | Zoho ManageEngine Exchange Reporter Plus up to 5718 Reports Module sql injection
A vulnerability was found in Zoho ManageEngine Exchange Reporter Plus up to 5718 and classified as critical . Affected by this issue is some unknown functionality of the component Reports Module . The manipulation leads to sql injection. This vulnerability is handled as CVE-2024-9459 . The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-9459 - Zohocorp ManageEngine Exchange Reporter Plus SQL Injection Vulnerability
CVE ID : CVE-2024-9459 Published : Nov. 5, 2024, 6:15 a.m. 47 minutes ago Description : Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module. Severity: 8.3 HIGH Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2024-9459
Zohocorp ManageEngine Exchange Reporter Plus versions 5718 and prior are vulnerable to authenticated SQL Injection in reports module.
See 3 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI