CVE-2017-17552 — Cross-Site Request Forgery in Manageengine Admanager Plus

CWE-352 — Cross-Site Request Forgery3 documents3 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 43.85%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Admanager Plus

Timeline

PublishedFeb 7

Latest updateMay 14

Description

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_admanager_plus< 6.6+1

🔴Vulnerability Details

GHSA

GHSA-p5jc-xg44-9www: /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting↗2022-05-14

▶

CVEList

CVE-2017-17552: /LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting↗2018-02-07

▶