CVE-2021-40493

Vulnerability

An SQL injection vulnerability exists in the support diagnostics module of Zoho ManageEngine OpManager [1]. The flaw is present in the getDataCollectionFailureReason API, specifically via the pollingObject parameter. Affected builds range from version 125140 up to 125436. The vulnerability was fixed in builds 125437 and 125453 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the getDataCollectionFailureReason API endpoint with a malicious pollingObject parameter [1]. The advisory does not specify authentication requirements, but the API is part of the support diagnostics module, which may be accessible to authenticated users or potentially without authentication.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the underlying database [1]. This could result in unauthorized access to sensitive data, modification of database contents, and potentially remote code execution depending on the database user's privileges.

Mitigation

The vulnerability is fixed in OpManager builds 125437 and 125453, released on September 3, 2021 [1]. Users should upgrade to version 12.5.437 or later. No workarounds are provided in the advisory [1].