Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_adselfservice_plus
(Zohocorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 48 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-09-07 | CVE-2021-40539 | Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | Manageengine_adselfservice_plus | 9.8 | ||
| 2021-09-10 | CVE-2021-37423 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. | Manageengine_adselfservice_plus | 9.8 | ||
| 2021-09-10 | CVE-2021-37422 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | Manageengine_adselfservice_plus | 9.8 | ||
| 2022-01-03 | CVE-2021-20147 | ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. | Manageengine_adselfservice_plus | 5.3 | ||
| 2022-01-03 | CVE-2021-20148 | ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain. | Manageengine_adselfservice_plus | 4.3 | ||
| 2022-04-07 | CVE-2022-24681 | Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | Manageengine_adselfservice_plus | 6.1 | ||
| 2022-04-18 | CVE-2022-28810 | Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. | Manageengine_adselfservice_plus | 6.8 | ||
| 2022-04-18 | CVE-2022-29457 | Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. | Manageengine_adaudit_plus, Manageengine_admanager_plus, Manageengine_adselfservice_plus, Manageengine_exchange_reporter_plus | 8.8 | ||
| 2022-05-20 | CVE-2022-28987 | Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. | Manageengine_adselfservice_plus | 5.3 | ||
| 2022-07-04 | CVE-2022-34829 | Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. | Manageengine_adselfservice_plus | 7.5 |