Manageengine Analytics Plus: Security vulnerability allows privilege escalation
Attackers can abuse a vulnerability in Zohocorp's Manageengine Analytics Plus to extend their rights.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
In Manageengine Analytics Plus from Zohocorp, attackers can extend their rights due to a vulnerability. This is achieved through unauthorized access to sensitive data.
In Zoho's security release, the authors explain that a vulnerability in Analytics Plus exposes sensitive data. Logged-in users can gain access to sensitive tokens that are linked to the "org-admin" account. This allows them to unintentionally extend their rights (CVE-2024-52323, CVSS 8.1, risk"high").
Vulnerability provides admin rights
"This vulnerability allows attackers to perform admin actions. For example, they can add or remove users and change configurations," explain the authors of the security advisory.
Videos by heise
The software developers solve the problem by removing unused and vulnerable code from the application. This eliminates the vulnerability, the developers continue.
Manageengine Anayltics Plus can accept and analyze data from different applications in the network in order to create reports for admins, for example. Manageengine Analytics Plus is affected by the security vulnerability up to the version now released with build number 6100. IT managers should "kindly download and apply the latest upgrade pack" from the corresponding download page. An upgrade guide is also linked there.
Earlier this month, Zoho already had to close a security gap in Manageengine ADManager Plus. Due to an SQL injection vulnerability, attackers were able to inject SQL commands. The vulnerability allowed authenticated attackers to execute their own queries and gain unauthorized access to database table entries, the manufacturer explained the problem.
(dmk)
