CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12476
https://notcve.org/view.php?id=CVE-2019-12476
17 Jun 2019 — An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. Una vulnerabilidad de omisión de identificación en la funcionalidad de restablecimiento de contraseña en Zoho ManageEngine ADSelfService Plus antes de la versión 5.0.6 permite a un atacante con acceso físi... • https://github.com/0katz/CVE-2019-12476 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 6%CPEs: 100EXPL: 0CVE-2019-8346
https://notcve.org/view.php?id=CVE-2019-8346
24 May 2019 — In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token. En Zoho ManageEngine ADSelfService Plus versión 5.x hasta 5704, una vulnerabilidad de tipo cross-site Scripting (XSS) en el archivo authorization.do permite una manipulación no autenticada d... • https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 4%CPEs: 99EXPL: 0CVE-2019-11511
https://notcve.org/view.php?id=CVE-2019-11511
25 Apr 2019 — Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. Zoho ManageEngine ADSelfService Plus, en versiones anteriores del build 5708, es vulnerable a un XSS a través de la API de aplicaciones móviles. • https://www.manageengine.com/products/self-service-password/release-notes.html#5708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 5%CPEs: 103EXPL: 0CVE-2019-7161
https://notcve.org/view.php?id=CVE-2019-7161
18 Mar 2019 — An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. Se ha descubierto un problema en Zoho ManageEngine ADSelfService Plus, en versiones 5.x hasta la Build 5704. Emplea claves de cifrado fijas para proteger la información, otorgando a un atacante la capacidad de descifrar cualquier dato protegido. • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-7161 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 2%CPEs: 92EXPL: 0CVE-2018-20664
https://notcve.org/view.php?id=CVE-2018-20664
03 Jan 2019 — Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. Zoho ManageEngine ADSelfService Plus, en sus versiones 5.x antes del build 5701, tiene XEE (XML External Entity) mediante una licencia de producto subida. • https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20664 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 2%CPEs: 101EXPL: 0CVE-2019-3905
https://notcve.org/view.php?id=CVE-2019-3905
03 Jan 2019 — Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. Zoho ManageEngine ADSelfService Plus, en sus versiones 5.x antes del build 5703, tiene Server-Side Request Forgery (SSRF). • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-3905 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 6.1EPSS: 0%CPEs: 92EXPL: 2CVE-2018-20484 – Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20484
26 Dec 2018 — Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. Zoho ManageEngine ADSelfService Plus, en versiones 5.7 anteriores a la build 5702, tiene Cross-Site Scripting (XSS) en la implementación del diseño de autoactualización. Zoho ManageEngine ADSelfService Plus version 5.7 builds prior to 5702 suffer from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/152793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 116EXPL: 2CVE-2018-20485 – Zoho ManageEngine ADSelfService Plus 5.7 < 5702 build - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2018-20485
26 Dec 2018 — Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. Zoho ManageEngine OpManager 5.7 antes de la build 5702 tiene Cross-Site Scripting (XSS) mediante la característica de búsqueda de empleados. Zoho ManageEngine ADSelfService Plus version 5.7 builds prior to 5702 suffer from multiple cross site scripting vulnerabilities. • https://packetstorm.news/files/id/152793 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 2CVE-2014-3779 – ADSelfservice Plus 5.1 Cross Site Scripting
https://notcve.org/view.php?id=CVE-2014-3779
03 Jan 2015 — Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do. Vulnerabilidad de XSS en ZOHO ManageEngine ADSelfService Plus anterior a 5.2 Build 5202 permite a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro name en GroupSubscription.do. AdSelfservice Plus version 5.1 suffers from a cross site scripting vulnera... • https://packetstorm.news/files/id/129803 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 1%CPEs: 1EXPL: 3CVE-2011-5105 – ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2011-5105
23 Aug 2012 — Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274. Múltiples vulnerabilidades de ejecución de comandos en sitios cruzados (XSS) en EmployeeSearch.cc en ZOHO ManageEngine ADSelfService Plus v4.5 Build 4521 permite a atacantes remotos inyectar código web o HTML arbitrario ... • https://www.exploit-db.com/exploits/36316 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •