Zohocorp Manageengine Adselfservice Plus vulnerabilities
54 known vulnerabilities affecting zohocorp/manageengine_adselfservice_plus.
Total CVEs
54
CISA KEV
3
actively exploited
Public exploits
13
Exploited in wild
4
Severity breakdown
CRITICAL19HIGH12MEDIUM23
Vulnerabilities
Page 3 of 3
CVE-2021-20147P3MEDIUMCVSS 5.3≤ 6.0v6.1+1 more2022-01-03
CVE-2021-20147 [MEDIUM] CWE-203 CVE-2021-20147: ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.
nvd
CVE-2019-12876P3HIGHCVSS 7.3v5.72019-07-17
CVE-2019-12876 [HIGH] CWE-732 CVE-2019-12876: Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Ins
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
nvd
CVE-2024-27310P3MEDIUMCVSS 6.5fixed in 6.4v6.42024-05-27
CVE-2024-27310 [MEDIUM] CWE-90 CVE-2024-27310: Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
nvd
CVE-2019-12476P4MEDIUMCVSS 6.8≥ 4.3.3, < 5.0.62019-06-17
CVE-2019-12476 [MEDIUM] CWE-640 CVE-2019-12476: An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSe
An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.
nvd
CVE-2021-31874P4MEDIUMCVSS 5.9fixed in 6.1v6.12021-07-02
CVE-2021-31874 [MEDIUM] CVE-2021-31874: Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sen
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application.
nvd
CVE-2010-3273P4MEDIUMCVSS 5.0≤ 4.42011-02-17
CVE-2010-3273 [MEDIUM] CWE-20 CVE-2010-3273: ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user pas
ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult.
nvd
CVE-2019-8346P4MEDIUMCVSS 6.1v5.0v5.1+6 more2019-05-24
CVE-2019-8346 [MEDIUM] CWE-79 CVE-2019-8346: In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.
nvd
CVE-2021-27214P4MEDIUMCVSS 6.1v6.02021-02-19
CVE-2021-27214 [MEDIUM] CVE-2021-27214: A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
nvd
CVE-2023-6105P4MEDIUMCVSS 5.5fixed in 6.3v6.32023-11-15
CVE-2023-6105 [MEDIUM] CWE-200 CVE-2023-6105: An information disclosure vulnerability exists in multiple ManageEngine products that can result in
An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine pr
nvd
CVE-2019-11511P4MEDIUMCVSS 6.1v5.72019-04-25
CVE-2019-11511 [MEDIUM] CWE-79 CVE-2019-11511: Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
nvd
CVE-2019-18781P4MEDIUMCVSS 6.1v5.0v5.1+7 more2019-12-18
CVE-2019-18781 [MEDIUM] CWE-601 CVE-2019-18781: An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 580
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.
nvd
CVE-2021-27956P4MEDIUMCVSS 6.1fixed in 6.1v6.12021-05-20
CVE-2021-27956 [MEDIUM] CWE-79 CVE-2021-27956: Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/dir
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
nvd
CVE-2021-20148P4MEDIUMCVSS 4.3≤ 6.0v6.1+1 more2022-01-03
CVE-2021-20148 [MEDIUM] CWE-552 CVE-2021-20148: ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain und
ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then send
nvd
CVE-2014-3779P4MEDIUMCVSS 4.3≤ 5.22015-01-07
CVE-2014-3779 [MEDIUM] CWE-79 CVE-2014-3779: Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 52
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.
nvd
← Previous3 / 3