Security Updates

CVE-2024-38871 - Authenticated SQL injection vulnerability in Exchange Reporter Plus

Vulnerability Details
Severity High
CVE ID CVE-2024-38871
Affected software versions Build 5717 and below
Fixed version Build 5718
Fixed on 15 July 2024

Details

Exchange Reporter Plus was reported to have an authenticated SQL injection vulnerability in the Reports tab. This has been fixed in build 5718, and its release notes can be found here.

Impact

This vulnerability can allow an authenticated adversary to execute custom queries and access entries in the database table using the vulnerable request.

What should I do?

Given the severity of this vulnerability, customers are strongly advised to update Exchange Reporter Plus to the latest build immediately by following the steps mentioned below,

  1. Download the latest service pack from here.
  2. Apply the latest service pack to your existing product installation by following the instructions provided in the above link.

If you have any questions or need assistance updating the product to the latest version, please contact our product support at support@exchangereporterplus.com.

Acknowledgement

This vulnerability was discovered by minhgalaxy.

Exchange Reporter Plus trusted by

A single pane of glass for Exchange Server Monitoring, Reporting and Auditing