Zohocorp Manageengine Adselfservice Plus vulnerabilities

CVE-2019-8346 [MEDIUM] CWE-79 CVE-2019-8346: In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting ( In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

CVE-2019-11511 [MEDIUM] CWE-79 CVE-2019-11511: Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.

CVE-2019-7161 [HIGH] CWE-798 CVE-2019-7161: An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixe An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.

CVE-2018-20664 [CRITICAL] CWE-611 CVE-2018-20664: Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.

CVE-2019-3905 [CRITICAL] CWE-918 CVE-2019-3905: Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF.

CVE-2018-20485 [MEDIUM] CWE-79 CVE-2018-20485: Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.

CVE-2018-20484 [MEDIUM] CWE-79 CVE-2018-20484: Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout impleme Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.

CVE-2014-3779 [MEDIUM] CWE-79 CVE-2014-3779: Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 52 Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.

CVE-2011-5105 [MEDIUM] CVE-2011-5105: Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelf Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.

CVE-2010-3274 [MEDIUM] CWE-79 CVE-2010-3274: Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engi Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.

CVE-2010-3272 [MEDIUM] CWE-20 CVE-2010-3272: accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action.

CVE-2010-3273 [MEDIUM] CWE-20 CVE-2010-3273: ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user pas ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult.