RSS   Vulnerabilities for
'Manageengine adselfservice plus'
   RSS

2022-04-18
 
CVE-2022-28810

CWE-78
 

 
Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field.

 
2022-04-07
 
CVE-2022-24681

CWE-79
 

 
Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

 
2021-09-10
 
CVE-2021-37422

CWE-89
 

 
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.

 
 
CVE-2021-37423

NVD-CWE-noinfo
 

 
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover.

 
2021-09-07
 
CVE-2021-40539

CWE-287
 

 
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.

 
2021-08-30
 
CVE-2021-33055

CWE-78
 

 
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.

 
 
CVE-2021-37416

CWE-79
 

 
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.

 
 
CVE-2021-37417

CWE-20
 

 
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.

 
 
CVE-2021-37421

CWE-863
 

 
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.

 
2021-08-09
 
CVE-2021-33256

CWE-1236
 

 
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file.

 


Copyright 2024, cxsecurity.com

 

Back to Top