cbcvebase.

Zohocorp Manageengine Adselfservice Plus vulnerabilities

54 known vulnerabilities affecting zohocorp/manageengine_adselfservice_plus.

Total CVEs
54
CISA KEV
3
actively exploited
Public exploits
13
Exploited in wild
4
Severity breakdown
CRITICAL19HIGH12MEDIUM23

Vulnerabilities

Page 2 of 3
CVE-2018-20484P3MEDIUMCVSS 6.1PoCv5.72018-12-26
CVE-2018-20484 [MEDIUM] CWE-79 CVE-2018-20484: Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout impleme Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
nvd
CVE-2026-11374P3CRITICALCVSS 9.0fixed in 65292026-06-23
CVE-2026-11374 [CRITICAL] CWE-287 CVE-2026-11374: In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the S In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted by an unauthenticated user, leading to account takeover.
nvd
CVE-2021-37417P2CRITICALCVSS 9.8fixed in 6.1v6.12021-08-30
CVE-2021-37417 [CRITICAL] CWE-287 CVE-2021-37417: Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper pa Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
nvd
CVE-2026-2740P3HIGHCVSS 8.4fixed in 65252026-05-21
CVE-2026-2740 [HIGH] CWE-77 CVE-2026-2740: Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and Reco Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.
nvd
CVE-2021-37422P3CRITICALCVSS 9.8fixed in 6.1v6.12021-09-10
CVE-2021-37422 [CRITICAL] CWE-89 CVE-2021-37422: Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
nvd
CVE-2021-37416P3MEDIUMCVSS 6.1PoCfixed in 6.1v6.12021-08-30
CVE-2021-37416 [MEDIUM] CWE-79 CVE-2021-37416: Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the lo Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
nvd
CVE-2019-7162P3CRITICALCVSS 9.1v5.62019-12-31
CVE-2019-7162 [CRITICAL] CVE-2019-7162: An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service a An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
nvd
CVE-2021-37421P3CRITICALCVSS 9.8fixed in 6.1v6.12021-08-30
CVE-2021-37421 [CRITICAL] CWE-345 CVE-2021-37421: Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
nvd
CVE-2010-3274P4MEDIUMCVSS 4.3PoC≤ 4.42011-02-17
CVE-2010-3274 [MEDIUM] CWE-79 CVE-2010-3274: Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engi Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.
nvd
CVE-2023-35719P3MEDIUMCVSS 6.8v6.12023-09-06
CVE-2023-35719 [MEDIUM] CWE-345 CVE-2023-35719: ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentic ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw
nvd
CVE-2018-20664P3CRITICALCVSS 9.8v5.72019-01-03
CVE-2018-20664 [CRITICAL] CWE-611 CVE-2018-20664: Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
nvd
CVE-2019-3905P3CRITICALCVSS 10.0v5.0-5000v5.0-5001+99 more2019-01-03
CVE-2019-3905 [CRITICAL] CWE-918 CVE-2019-3905: Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.
nvd
CVE-2022-36413P3CRITICALCVSS 9.1fixed in 6.2v6.22023-03-23
CVE-2022-36413 [CRITICAL] CWE-307 CVE-2022-36413: Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads t Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
nvd
CVE-2010-3272P4MEDIUMCVSS 4.3PoC≤ 4.42011-02-17
CVE-2010-3272 [MEDIUM] CWE-20 CVE-2010-3272: accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action.
nvd
CVE-2021-37423P3CRITICALCVSS 9.8fixed in 6.1v6.12021-09-10
CVE-2021-37423 [CRITICAL] CVE-2021-37423: Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.
nvd
CVE-2025-1723P3HIGHCVSS 8.1fixed in 6.5v6.52025-03-03
CVE-2025-1723 [HIGH] CWE-287 CVE-2025-1723: Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.
nvd
CVE-2019-18411P3HIGHCVSS 8.8v5.0v5.1+7 more2019-11-06
CVE-2019-18411 [HIGH] CWE-352 CVE-2019-18411: Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information pag Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication cod
nvd
CVE-2011-5105P4MEDIUMCVSS 4.3PoCv4.52012-08-23
CVE-2011-5105 [MEDIUM] CVE-2011-5105: Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelf Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.
nvd
CVE-2019-7161P3HIGHCVSS 7.5v5.0v5.1+6 more2019-03-21
CVE-2019-7161 [HIGH] CWE-798 CVE-2019-7161: An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixe An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
nvd
CVE-2022-34829P3HIGHCVSS 7.5fixed in 6.2v6.22022-07-04
CVE-2022-34829 [HIGH] CVE-2022-34829: Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) vi Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API.
nvd
Zohocorp Manageengine Adselfservice Plus vulnerabilities | cvebase