# Local File Inclusion (CVE-2024-9100) Vulnerability in Analytics Plus on-premise

**Severity:** Medium

**CVE ID:** CVE-2024-9100

| Product name | Affected Software Version(s) | Fixed Version | Fixed On |
|---|---|---|---|
| Analytics Plus on-premise | All Analytics Plus on-premise builds below 5410 | Build 5410 | June 04, 2024 |

## Details

A Local File Inclusion (LFI) vulnerability has been discovered in Analytics Plus on-premise. This vulnerability enables an authenticated user to read arbitrary files from the server's file system through HSQLDB queries, potentially exposing sensitive information.

## Impact

This vulnerability allows users to access and read sensitive system files and configuration settings on the server.

## Fix

The issue has been resolved by implementing restrictions on the use of specific keywords in SQL queries. These restricted keywords include `load_file`, `database_name`, `database_version`, and others.

## Steps to upgrade

1. Kindly download the latest upgrade pack from the [service pack page](https://www.manageengine.com/analytics-plus/service-packs.html).
2. Follow the instructions detailed in the above service pack page to upgrade to the latest build.

## Acknowledgements

This vulnerability was reported by **Nandhaguru** through our Bug Bounty portal.

For any questions or concerns, please write to us at:

- EU region: [analyticsplus-support@manageengine.eu](mailto:analyticsplus-support@manageengine.eu)
- Other regions: [analyticsplus-support@manageengine.com](mailto:analyticsplus-support@manageengine.com)