Local File Inclusion (CVE-2024-9100) Vulnerability in Zoho Analytics On-Premise
Severity: Medium
CVE ID: CVE-2024-9100
| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Zoho Analytics On-Premise | All Zoho Analytics On-Premise builds below 5410 | Build 5410 | June 04, 2024 |
Details
A Local File Inclusion (LFI) vulnerability has been discovered in Zoho Analytics On-Premise. This vulnerability enables an authenticated user to read arbitrary files from the server's file system through HSQLDB queries, potentially exposing sensitive information.
Impact
This vulnerability allows users to access and read sensitive system files and configuration settings on the server.
Fix
The issue has been resolved by implementing restrictions on the use of specific keywords in SQL queries. These restricted keywords include load_file,database_name, database_version, and others.
Steps to upgrade
- Kindly download the latest upgrade pack from the service pack page.
- Follow the instructions detailed in the above service pack page to upgrade to the latest build.
Acknowledgements:
This vulnerability was reported by Nandhaguru through our Bug Bounty portal.
For any questions or concerns, please write to us at onprem-support@zohoanalytics.com