Zohocorp Manageengine Adselfservice Plus vulnerabilities

CVE-2021-37422 [CRITICAL] CWE-89 CVE-2021-37422: Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.

CVE-2021-40539 [CRITICAL] CWE-706 CVE-2021-40539: Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

CVE-2021-37417 [CRITICAL] CWE-287 CVE-2021-37417: Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper pa Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.

CVE-2021-33055 [CRITICAL] CWE-78 CVE-2021-33055: Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in no Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

CVE-2021-37421 [CRITICAL] CWE-345 CVE-2021-37421: Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.

CVE-2021-37416 [MEDIUM] CWE-79 CVE-2021-37416: Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the lo Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.

CVE-2021-33256 [HIGH] CWE-1236 CVE-2021-33256: A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Bui A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnera

CVE-2021-31874 [MEDIUM] CVE-2021-31874: Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sen Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.

CVE-2021-28958 [CRITICAL] CWE-78 CVE-2021-28958: Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execu Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.

CVE-2021-27956 [MEDIUM] CWE-79 CVE-2021-27956: Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/dir Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

CVE-2021-27214 [MEDIUM] CVE-2021-27214: A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.

CVE-2018-5353 [CRITICAL] CWE-290 CVE-2018-5353: The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remot The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execut

CVE-2020-24786 [CRITICAL] CWE-287 CVE-2020-24786: An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365

CVE-2020-11552 [CRITICAL] CWE-269 CVE-2020-11552: An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target s

CVE-2020-11518 [CRITICAL] CVE-2020-11518: Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution.

CVE-2019-7162 [CRITICAL] CVE-2019-7162: An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service a An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.

CVE-2019-18781 [MEDIUM] CWE-601 CVE-2019-18781: An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 580 An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.

CVE-2019-18411 [HIGH] CWE-352 CVE-2019-18411: Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information pag Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication cod

CVE-2019-12876 [HIGH] CWE-732 CVE-2019-12876: Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Ins Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.

CVE-2019-12476 [MEDIUM] CWE-640 CVE-2019-12476: An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSe An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.