8.8
CVE-2024-21775
- EPSS 0.62%
- Published 16.02.2024 15:15:08
- Last modified 26.11.2024 16:34:43
- Source 0fc0942c-577d-436f-ae8e-945763
- Teams watchlist Login
- Open Login
Zoho ManageEngine Exchange Reporter Plus versions 5714 and below are vulnerable to the Authenticated SQL injection in report exporting feature.
Data is provided by the National Vulnerability Database (NVD)
Zohocorp ≫ Manageengine Exchange Reporter Plus Version < 5.7
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update-
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5700
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5701
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5702
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5703
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5704
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5705
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5706
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5707
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5708
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5709
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5710
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5711
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5712
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5713
Zohocorp ≫ Manageengine Exchange Reporter Plus Version5.7 Update5714
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.62% | 0.692 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
| 0fc0942c-577d-436f-ae8e-945763c79b02 | 8.3 | 2.8 | 5.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L
|
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.