CVE-2025-3833 — SQL Injection in Adselfservice Plus

CWE-89 — SQL Injection CWE-835 — Infinite Loop4 documents4 sources

Severity

8.1HIGHNVD

EPSS

3.3%

top 12.70%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Manageengine Adselfservice Plus Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedMay 14

Description

Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages2 packages

▶NVDzohocorp/manageengine_adselfservice_plus< 6.5+1

▶CVEListV5manageengine/adselfservice_plus< 6514

🔴Vulnerability Details

CVEList

SQL Injection↗2025-05-14

▶

GHSA

GHSA-r263-h39v-v2j9: Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports↗2025-05-14

▶

📋Vendor Advisories

Microsoft

Openwsman versions up to and including 2.6.9 are vulnerable to infinite loop in process_connection() when parsing specially crafted HTTP requests. A remote unauthenticated attacker can exploit this vu↗2019-03-12

▶