CVSS: 9.8EPSS: 40%CPEs: 164EXPL: 0CVE-2021-28958
https://notcve.org/view.php?id=CVE-2021-28958
25 Jun 2021 — Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. Zoho ManageEngine ADSelfService Plus versiones hasta 6101, es vulnerable a una Ejecución de Código Remota no autenticada mientras se cambia la contraseña • https://blog.stmcyber.com/vulns/cve-2021-28958 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 2%CPEs: 4EXPL: 1CVE-2021-27956
https://notcve.org/view.php?id=CVE-2021-27956
20 May 2021 — Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, permite un ataque de tipo XSS almacenado en la página de búsqueda de usuarios /webclient/index.html#/directory-search por medio del campo e-mail address • https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 16%CPEs: 19EXPL: 1CVE-2018-5353
https://notcve.org/view.php?id=CVE-2018-5353
29 Sep 2020 — The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the... • https://github.com/missing0x00/CVE-2018-5353 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 10.0EPSS: 2%CPEs: 152EXPL: 0CVE-2020-24786
https://notcve.org/view.php?id=CVE-2020-24786
31 Aug 2020 — An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166.... • https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 5%CPEs: 5EXPL: 5CVE-2020-11552 – ManageEngine ADSelfService Plus 6000 Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-11552
10 Aug 2020 — An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client soft... • https://packetstorm.news/files/id/158820 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 14%CPEs: 17EXPL: 0CVE-2020-11518
https://notcve.org/view.php?id=CVE-2020-11518
04 Apr 2020 — Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. Zoho ManageEngine ADSelfService Plus versiones anteriores a 5815, permite una ejecución de código remota no autenticada. • https://pitstop.manageengine.com/portal/community/topic/adselfservice-plus-5815-released-with-an-important-security-fix •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12476
https://notcve.org/view.php?id=CVE-2019-12476
17 Jun 2019 — An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. Una vulnerabilidad de omisión de identificación en la funcionalidad de restablecimiento de contraseña en Zoho ManageEngine ADSelfService Plus antes de la versión 5.0.6 permite a un atacante con acceso físi... • https://github.com/0katz/CVE-2019-12476 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 116EXPL: 2CVE-2018-20485 – Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20485
26 Dec 2018 — Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. Zoho ManageEngine OpManager 5.7 antes de la build 5702 tiene Cross-Site Scripting (XSS) mediante la característica de búsqueda de empleados. Zoho ManageEngine ADSelfService Plus version 5.7 builds prior to 5702 suffer from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/152793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-3779 – ADSelfservice Plus 5.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-3779
03 Jan 2015 — Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do. Vulnerabilidad de XSS en ZOHO ManageEngine ADSelfService Plus anterior a 5.2 Build 5202 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro name en GroupSubscription.do. AdSelfservice Plus version 5.1 suffers from a cross site scripting vulnera... • https://packetstorm.news/files/id/129803 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2011-5105 – ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5105
23 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en EmployeeSearch.cc en ZOHO ManageEngine ADSelfService Plus v4.5 Build 4521 permite a atacantes remotos inyectar código web o HTML arbitrario ... • https://www.exploit-db.com/exploits/36316 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •