Zohocorp Manageengine Adselfservice Plus vulnerabilities
54 known vulnerabilities affecting zohocorp/manageengine_adselfservice_plus.
Total CVEs
54
CISA KEV
3
actively exploited
Public exploits
13
Exploited in wild
4
Severity breakdown
CRITICAL19HIGH12MEDIUM23
Vulnerabilities
Page 1 of 3
CVE-2022-47966P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 6.2v6.22023-01-18
CVE-2022-47966 [CRITICAL] CWE-20 CVE-2022-47966: Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications
nvd
CVE-2021-40539P1CRITICALCVSS 9.8KEVPoCRansomwarefixed in 6.1v6.12021-09-07
CVE-2021-40539 [CRITICAL] CWE-706 CVE-2021-40539: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
nvd
CVE-2022-28810P1MEDIUMCVSS 6.8KEVPoCfixed in 6.1v6.12022-04-18
CVE-2022-28810 [MEDIUM] CWE-78 CVE-2022-28810: Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator t
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially au
nvd
CVE-2022-28987P2MEDIUMCVSS 5.3ExploitedPoCv6.12022-05-20
CVE-2022-28987 [MEDIUM] CVE-2022-28987: Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration vi
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login.
nvd
CVE-2021-28958P1CRITICALCVSS 9.8v4.5v5.0+11 more2021-06-25
CVE-2021-28958 [CRITICAL] CWE-78 CVE-2021-28958: Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execu
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.
nvd
CVE-2020-11552P2CRITICALCVSS 9.8PoC≤ 5.8v6.02020-08-11
CVE-2020-11552 [CRITICAL] CWE-269 CVE-2020-11552: An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target s
nvd
CVE-2022-29457P2HIGHCVSS 8.8PoCfixed in 6.1v6.12022-04-18
CVE-2022-29457 [HIGH] CWE-522 CVE-2022-29457: Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
nvd
CVE-2020-11518P2CRITICALCVSS 9.8≤ 5.7v5.82020-04-04
CVE-2020-11518 [CRITICAL] CVE-2020-11518: Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.
nvd
CVE-2021-33055P2CRITICALCVSS 9.8fixed in 6.1v6.12021-08-30
CVE-2021-33055 [CRITICAL] CWE-78 CVE-2021-33055: Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in no
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
nvd
CVE-2021-33256P2HIGHCVSS 8.8v6.12021-08-09
CVE-2021-33256 [HIGH] CWE-1236 CVE-2021-33256: A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Bui
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnera
nvd
CVE-2018-5353P2CRITICALCVSS 9.8fixed in 5.5v5.52020-09-30
CVE-2018-5353 [CRITICAL] CWE-290 CVE-2018-5353: The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remot
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execut
nvd
CVE-2023-28342P3HIGHCVSS 7.5v4.5v5.0+12 more2023-04-05
CVE-2023-28342 [HIGH] CWE-400 CVE-2023-28342: Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
nvd
CVE-2025-3833P2HIGHCVSS 8.1fixed in 6.5v6.52025-05-14
CVE-2025-3833 [HIGH] CWE-89 CVE-2025-3833: Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
nvd
CVE-2024-0252P2HIGHCVSS 8.8fixed in 6.4v6.42024-01-11
CVE-2024-0252 [HIGH] CWE-94 CVE-2024-0252: ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution
ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
nvd
CVE-2020-24786P2CRITICALCVSS 9.8≤ 5.7v5.82020-08-31
CVE-2020-24786 [CRITICAL] CWE-287 CVE-2020-24786: An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360
An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365
nvd
CVE-2025-11250P2CRITICALCVSS 9.1fixed in 6.5v6.5+1 more2026-01-13
CVE-2025-11250 [CRITICAL] CWE-290 CVE-2025-11250: Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypas
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
nvd
CVE-2022-24681P3MEDIUMCVSS 6.1PoCfixed in 6.1v6.12022-04-07
CVE-2022-24681 [MEDIUM] CWE-79 CVE-2022-24681: Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Re
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.
nvd
CVE-2023-35854P2CRITICALCVSS 9.8fixed in 6.1v6.12023-06-20
CVE-2023-35854 [CRITICAL] CWE-306 CVE-2023-35854: Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited
Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
nvd
CVE-2026-1367P2HIGHCVSS 8.3fixed in 65232026-02-23
CVE-2026-1367 [HIGH] CWE-89 CVE-2026-1367: Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
nvd
CVE-2018-20485P3MEDIUMCVSS 6.1PoCv4.5v5.0+7 more2018-12-26
CVE-2018-20485 [MEDIUM] CWE-79 CVE-2018-20485: Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
nvd
1 / 3Next →