CVSS: 9.8EPSS: 2%CPEs: 164EXPL: 0CVE-2021-28958
https://notcve.org/view.php?id=CVE-2021-28958
25 Jun 2021 — Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. Zoho ManageEngine ADSelfService Plus versiones hasta 6101, es vulnerable a una Ejecución de Código Remota no autenticada mientras se cambia la contraseña • https://blog.stmcyber.com/vulns/cve-2021-28958 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 6.1EPSS: 0%CPEs: 4EXPL: 1CVE-2021-27956
https://notcve.org/view.php?id=CVE-2021-27956
20 May 2021 — Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, permite un ataque de tipo XSS almacenado en la página de búsqueda de usuarios /webclient/index.html#/directory-search por medio del campo e-mail address • https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 3%CPEs: 152EXPL: 0CVE-2020-24786
https://notcve.org/view.php?id=CVE-2020-24786
31 Aug 2020 — An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService Plus before build number 5817, DataSecurity Plus before build number 6033, RecoverManager Plus before build number 6017, EventLog Analyzer before build number 12136, ADAudit Plus before build number 6052, O365 Manager Plus before build number 4334, Cloud Security Plus before build number 4110, ADManager Plus before build number 7055, and Log360 before build number 5166.... • https://medium.com/%40frycos/another-zoho-manageengine-story-7b472f1515f5 • CWE-287: Improper Authentication •
CVSS: 10.0EPSS: 9%CPEs: 5EXPL: 5CVE-2020-11552 – ManageEngine ADSelfService Plus 6000 Remote Code Execution
https://notcve.org/view.php?id=CVE-2020-11552
10 Aug 2020 — An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client soft... • https://packetstorm.news/files/id/158820 • CWE-269: Improper Privilege Management •
CVSS: 9.8EPSS: 0%CPEs: 17EXPL: 0CVE-2020-11518
https://notcve.org/view.php?id=CVE-2020-11518
04 Apr 2020 — Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. Zoho ManageEngine ADSelfService Plus versiones anteriores a 5815, permite una ejecución de código remota no autenticada. • https://pitstop.manageengine.com/portal/community/topic/adselfservice-plus-5815-released-with-an-important-security-fix •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2019-7162
https://notcve.org/view.php?id=CVE-2019-7162
31 Dec 2019 — An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation. Se descubrió un problema en Zoho ManageEngine ADSelfService Plus versión 5.6 Build 5607. Un servicio expuesto permite que una persona no autenticada recupere información interna del sistema y modifique la instalación del producto. • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-7162 •
CVSS: 6.1EPSS: 0%CPEs: 119EXPL: 0CVE-2019-18781
https://notcve.org/view.php?id=CVE-2019-18781
18 Dec 2019 — An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. Se detectó una vulnerabilidad de redireccionamiento abierto en Zoho ManageEngine ADSelfService Plus versiones 5.x anteriores a 5809, lo que permite a atacantes obligar a usuarios que hacen clic en un enlace diseñado a ser enviados a un sitio externo específico. • https://pitstop.manageengine.com/portal/community/topic/adselfservice-plus-5809-release • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 110EXPL: 0CVE-2019-18411
https://notcve.org/view.php?id=CVE-2019-18411
06 Nov 2019 — Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own. Zoho ManageEngine ADSelfService Plus versiones 5.x hasta 5803, presenta una vulnerabilidad de tipo CSRF en la pág... • https://gist.github.com/aliceicl/e32fb4a17277c7db9e0256185ac03dae • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.1EPSS: 0%CPEs: 100EXPL: 0CVE-2019-8346
https://notcve.org/view.php?id=CVE-2019-8346
24 May 2019 — In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token. En Zoho ManageEngine ADSelfService Plus versión 5.x hasta 5704, una vulnerabilidad de tipo cross-site Scripting (XSS) en el archivo authorization.do permite una manipulación no autenticada d... • https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 103EXPL: 0CVE-2019-7161
https://notcve.org/view.php?id=CVE-2019-7161
18 Mar 2019 — An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. Se ha descubierto un problema en Zoho ManageEngine ADSelfService Plus, en versiones 5.x hasta la Build 5704. Emplea claves de cifrado fijas para proteger la información, otorgando a un atacante la capacidad de descifrar cualquier dato protegido. • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-7161 • CWE-798: Use of Hard-coded Credentials •