Severity: Medium
CVE ID: CVE-2024-9100
Product name | Affected Software Version(s) | Fixed Version | Fixed On |
---|---|---|---|
Analytics Plus on-premise | All Analytics Plus on-premise builds below 5410 | Build 5410 | June 04, 2024 |
Details
A Local File Inclusion (LFI) vulnerability has been discovered in Analytics Plus on-premise. This vulnerability enables an authenticated user to read arbitrary files from the server's file system through HSQLDB queries, potentially exposing sensitive information.
Impact
This vulnerability allows users to access and read sensitive system files and configuration settings on the server.
Fix
The issue has been resolved by implementing restrictions on the use of specific keywords in SQL queries. These restricted keywords include load_file,database_name, database_version, and others.
Steps to upgrade
Acknowledgements
This vulnerability was reported by Nandhaguru through our Bug Bounty portal.
For any questions or concerns, please write to us at: