CVE-2021-41288

Vulnerability

A SQL injection vulnerability exists in the getReportData API of Zoho ManageEngine OpManager build 125466 and earlier [1]. The endpoint fails to properly sanitize user-supplied input before incorporating it into SQL queries, allowing injection of arbitrary SQL statements. No authentication is required to reach the vulnerable API.

Exploitation

An unauthenticated attacker with network access to the affected OpManager instance can send specially crafted HTTP requests to the getReportData API, injecting malicious SQL commands through unsanitized parameters [1]. No special privileges or prior access are needed. The attacker can automate exploitation through repeated requests to enumerate or manipulate database contents.

Impact

Successful exploitation allows the attacker to read, modify, or delete arbitrary data from the underlying database [1]. This can lead to full disclosure of sensitive information, including credentials and configuration data. In some configurations, the attacker may be able to escalate to remote code execution or gain administrative control over the OpManager instance, depending on database permissions [1].

Mitigation

The fix is included in OpManager build 125467 and later [1]. Affected installations must upgrade to build 125467 or newer to remediate the vulnerability. No workaround is provided in the available references; upgrading is the recommended course of action.