Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Manageengine_adselfservice_plus
(Zohocorp)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 48 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2021-08-09 | CVE-2021-33256 | A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. | Manageengine_adselfservice_plus | 8.8 | ||
| 2021-08-30 | CVE-2021-33055 | Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | Manageengine_adselfservice_plus | 9.8 | ||
| 2021-08-30 | CVE-2021-37416 | Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. | Manageengine_adselfservice_plus | 6.1 | ||
| 2021-08-30 | CVE-2021-37417 | Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | Manageengine_adselfservice_plus | 9.8 | ||
| 2021-08-30 | CVE-2021-37421 | Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | Manageengine_adselfservice_plus | 9.8 | ||
| 2021-09-10 | CVE-2021-37423 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. | Manageengine_adselfservice_plus | 9.8 | ||
| 2021-09-10 | CVE-2021-37422 | Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | Manageengine_adselfservice_plus | 9.8 | ||
| 2022-01-03 | CVE-2021-20147 | ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. | Manageengine_adselfservice_plus | 5.3 | ||
| 2022-01-03 | CVE-2021-20148 | ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain. | Manageengine_adselfservice_plus | 4.3 | ||
| 2022-04-07 | CVE-2022-24681 | Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | Manageengine_adselfservice_plus | 6.1 |