Sensitive Data Exposure (CVE-2024-52323) in Zoho Analytics On-Premise Leading to Privilege Escalation
Severity: High
CVE ID: CVE-2024-52323
| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Zoho Analytics On-Premise | Zoho Analytics On-Premise builds below 6100 | Build 6100 | November 27, 2024 |
Details
A Sensitive Data Exposure vulnerability has been identified in Zoho Analytics On-Premise, allowing an authenticated user to retrieve sensitive tokens associated to the org-admin account. This could potentially lead to unintended privilege escalation.
Impact
This vulnerability enables an attacker to perform admin actions, such as adding or removing users and altering configurations.
Fix
We have addressed this issue by removing the unused and vulnerable code from our application to eliminate the vulnerability.
Steps to upgrade
- Kindly download the latest upgrade pack from here.
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above step.
Acknowledgements
This vulnerability was reported by Mohamed Mekkawy working with Trend Micro's Zero Day Initiative in our Bug Bounty portal.
For any questions or concerns, please write to us at onprem-support@zohoanalytics.com