Security Updates

Exchange Reporting Tools » Security Updates

CVE-2024-21775 - SQL injection vulnerability in Exchange Reporter Plus

Vulnerability Details
Severity High*
CVE ID CVE-2024-21775
Affected software versions Build 5714 and below
Fixed version Build 5715
Fixed on January 24, 2024

*Note: Based on further analysis by our security team, the severity of this vulnerability has been reduced from Critical to High.

Details

Exchange Reporter Plus builds 5714 and older were reported to have an SQL injection vulnerability when exporting a report. This has been fixed in build 5715, and its release notes can be found here.

Impact

A successful attack may result in the attacker gaining administrative rights to the product database.

What should I do?

Given the severity of this vulnerability, you are strongly advised to update Exchange Reporter Plus to the latest build immediately.

To find your product's current version,

  1. Log in to the product as an administrator.
  2. Click the License link in the top-right corner of the screen.
  3. The product version can be found in the pop up that appears.

If you are using an affected version (build 5714 and below), please update to the latest version immediately using the service pack.

Acknowledgements

This vulnerability was discovered by minhgalaxy.

Exchange Reporter Plus trusted by

A single pane of glass for Exchange Server Monitoring, Reporting and Auditing
HighlightsReportingAuditingMonitoringRelated Products