Local File Inclusion (CVE-2024-9100) Vulnerability in Zoho Analytics On-Premise
Severity: Medium
CVE ID: CVE-2024-9100
| Product name | Affected Software Version(s) | Fixed Version(s) | Fixed On |
|---|---|---|---|
| Zoho Analytics On-Premise | All Zoho Analytics On-Premise builds below 5410 | Build 5410 | June 04, 2024 |
Details:
A Local File Inclusion (LFI) vulnerability has been discovered in Zoho Analytics On-Premise. This vulnerability enables an authenticated user to read arbitrary files from the server's filesystem through HSQLDB queries, potentially exposing sensitive information.
Impact:
This vulnerability allows users to access and read sensitive system files and configuration settings on the server.
Fix:
The issue has been resolved by implementing restrictions on the use of specific keywords in SQL queries. These restricted keywords include load_file,database_name, database_version, and others.
Steps to upgrade:
- Kindly download the latest upgrade pack from here.
- Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above step.
Acknowledgements:
This vulnerability was reported by Nandhaguru in our Bug Bounty portal.
If you have any questions or concerns, please contact product support at the email addresses below: