CVE-2019-8346 — Cross-site Scripting in Manageengine Adselfservice Plus

CWE-79 — Cross-site Scripting3 documents3 sources

Severity

6.1MEDIUMNVD

EPSS

3.2%

top 13.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedMay 24

Latest updateMay 24

Description

In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages1 packages

▶NVDzohocorp/manageengine_adselfservice_plus8 versions+7

🔴Vulnerability Details

GHSA

GHSA-fr9c-3m85-729w: In Zoho ManageEngine ADSelfService Plus 5↗2022-05-24

▶

CVEList

CVE-2019-8346: In Zoho ManageEngine ADSelfService Plus 5↗2019-05-24

▶