Search
Total
16 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-6105 | 3 Linux, Microsoft, Zohocorp | 41 Linux Kernel, Windows, Manageengine Access Manager Plus and 38 more | 2023-12-28 | N/A | 5.5 MEDIUM |
| An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A low-privileged OS user with access to the host where an affected ManageEngine product is installed can view and use the exposed key to decrypt product database passwords. This allows the user to access the ManageEngine product database. | |||||
| CVE-2021-20148 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2023-08-08 | 3.5 LOW | 4.3 MEDIUM |
| ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain. | |||||
| CVE-2022-28810 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2023-08-08 | 7.1 HIGH | 6.8 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before build 6122 allows a remote authenticated administrator to execute arbitrary operating OS commands as SYSTEM via the policy custom script feature. Due to the use of a default administrator password, attackers may be able to abuse this functionality with minimal effort. Additionally, a remote and partially authenticated attacker may be able to inject arbitrary commands into the custom script due to an unsanitized password field. | |||||
| CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-12 | 4.3 MEDIUM | 6.1 MEDIUM |
| A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. | |||||
| CVE-2022-28987 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-07-02 | 5.0 MEDIUM | 5.3 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. | |||||
| CVE-2022-24681 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-05-17 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. | |||||
| CVE-2021-20147 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2022-01-13 | 5.0 MEDIUM | 5.3 MEDIUM |
| ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. | |||||
| CVE-2021-37416 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-09-02 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. | |||||
| CVE-2021-31874 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-07-06 | 4.3 MEDIUM | 5.9 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. | |||||
| CVE-2021-27956 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2021-05-26 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | |||||
| CVE-2019-12476 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Adselfservice Plus | 2020-08-24 | 7.2 HIGH | 6.8 MEDIUM |
| An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. | |||||
| CVE-2019-18781 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2020-01-06 | 5.8 MEDIUM | 6.1 MEDIUM |
| An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. | |||||
| CVE-2019-11511 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-06-03 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. | |||||
| CVE-2019-8346 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-29 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token. | |||||
| CVE-2018-20484 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. | |||||
| CVE-2018-20485 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2019-05-10 | 4.3 MEDIUM | 6.1 MEDIUM |
| Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. | |||||