# ManageEngine Analytics Plus security updates

## Sensitive Data Exposure (CVE-2024-52323) in Analytics Plus on-premise Leading to Privilege Escalation

**Severity:** High

**CVE ID:** CVE-2024-52323

| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Analytics Plus on-premise | Analytics Plus on-premise builds below 6100 | Build 6100 | November 27, 2024 |

**Details**

A Sensitive Data Exposure vulnerability has been identified in Analytics Plus on-premise, allowing an authenticated user to retrieve sensitive tokens associated to the org-admin account. This could potentially lead to unintended privilege escalation.

**Impact**

This vulnerability enables an attacker to perform admin actions, such as adding or removing users and altering configurations.

**Fix**

We have addressed this issue by removing the unused and vulnerable code from our application to eliminate the vulnerability.

**Steps to upgrade**

1. Kindly download the latest upgrade pack from [here](https://www.manageengine.com/analytics-plus/service-packs.html).
2. Apply the latest build to your existing product installation as per the upgrade pack instructions provided in the above step.

**Acknowledgements**

This vulnerability was reported by **Mohamed Mekkawy working with Trend Micro's Zero Day Initiative** in our Bug Bounty portal.

If you have any questions or concerns, please contact product support at the email addresses below:

- EU region: [analyticsplus-support@manageengine.eu](mailto:analyticsplus-support@manageengine.eu)
- Other regions: [analyticsplus-support@manageengine.com](mailto:analyticsplus-support@manageengine.com)