CVE-2021-37416
https://notcve.org/view.php?id=CVE-2021-37416
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. Zoho ManageEngine ADSelfService Plus versiones 6103 y anteriores, es vulnerable a un ataque de tipo XSS reflejado en la página loadframe. • https://blog.stmcyber.com/vulns/cve-2021-37416 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2021-33055
https://notcve.org/view.php?id=CVE-2021-33055
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. Zoho ManageEngine ADSelfService Plus versiones hasta 6102, permite una ejecución de código remota no autenticado en ediciones no Inglesas. • https://blog.stmcyber.com/vulns/cve-2021-33055 https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVE-2021-31874
https://notcve.org/view.php?id=CVE-2021-31874
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, en raras situaciones, permite a atacantes obtener información confidencial sobre la aplicación de base de datos de sincronización de contraseñas • https://blog.stmcyber.com/vulns/cve-2021-31874 https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes •
CVE-2021-27956
https://notcve.org/view.php?id=CVE-2021-27956
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. Zoho ManageEngine ADSelfService Plus versiones anteriores a 6104, permite un ataque de tipo XSS almacenado en la página de búsqueda de usuarios /webclient/index.html#/directory-search por medio del campo e-mail address • https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes https://raxis.com/blog/cve-2021-27956-manage-engine-xss https://www.manageengine.com • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2018-5353
https://notcve.org/view.php?id=CVE-2018-5353
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required El módulo GINA/CP personalizado en Zoho ManageEngine ADSelfService Plus versiones anteriores a 5.5 build 5517, permite a atacantes remotos ejecutar código y escalar privilegios mediante una suplantación de identidad. • https://github.com/missing0x00/CVE-2018-5353 http://zoho.com https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-290: Authentication Bypass by Spoofing •