Severity: Medium
CVE ID: CVE-2024-9100
Product name | Affected Software Version(s) | Fixed Version(s) | Fixed On |
---|---|---|---|
Analytics Plus | All Analytics Plus builds below 5410 | Build 5410 | June 04, 2024 |
Details:
A Local File Inclusion (LFI) vulnerability has been discovered in Analytics Plus. This vulnerability enables an authenticated user to read arbitrary files from the server's filesystem through HSQLDB queries, potentially exposing sensitive information.
Impact:
This vulnerability allows users to access and read sensitive system files and configuration settings on the server.
Fix:
The issue has been resolved by implementing restrictions on the use of specific keywords in SQL queries. These restricted keywords include load_file,database_name, database_version, and others.
Steps to upgrade:
Acknowledgements:
This vulnerability was reported by Nandhaguru in our Bug Bounty portal.
If you have any questions or concerns, please contact product support at the email addresses below: