CVSS: 9.1EPSS: 55%CPEs: 1EXPL: 0CVE-2019-7162
https://notcve.org/view.php?id=CVE-2019-7162
31 Dec 2019 — An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation. Se descubrió un problema en Zoho ManageEngine ADSelfService Plus versión 5.6 Build 5607. Un servicio expuesto permite que una persona no autenticada recupere información interna del sistema y modifique la instalación del producto. • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-7162 •
CVSS: 6.1EPSS: 0%CPEs: 119EXPL: 0CVE-2019-18781
https://notcve.org/view.php?id=CVE-2019-18781
18 Dec 2019 — An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. Se detectó una vulnerabilidad de redireccionamiento abierto en Zoho ManageEngine ADSelfService Plus versiones 5.x anteriores a 5809, lo que permite a atacantes obligar a usuarios que hacen clic en un enlace diseñado a ser enviados a un sitio externo específico. • https://pitstop.manageengine.com/portal/community/topic/adselfservice-plus-5809-release • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 8.8EPSS: 0%CPEs: 110EXPL: 0CVE-2019-18411
https://notcve.org/view.php?id=CVE-2019-18411
06 Nov 2019 — Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own. Zoho ManageEngine ADSelfService Plus versiones 5.x hasta 5803, presenta una vulnerabilidad de tipo CSRF en la pág... • https://gist.github.com/aliceicl/e32fb4a17277c7db9e0256185ac03dae • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.5EPSS: 0%CPEs: 3EXPL: 1CVE-2019-12876
https://notcve.org/view.php?id=CVE-2019-12876
17 Jul 2019 — Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. Zoho ManageEngine ADManager Plus versión 6.6.5, ADSelfService Plus versión 5.7, y DesktopCentral versión 10.0.380 tiene permisos no seguros, lo que conlleva a una escalada de privilegios desde los privilegios de bajo nivel hasta el sistema. • http://www.securityfocus.com/bid/109298 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12476
https://notcve.org/view.php?id=CVE-2019-12476
17 Jun 2019 — An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. Una vulnerabilidad de omisión de identificación en la funcionalidad de restablecimiento de contraseña en Zoho ManageEngine ADSelfService Plus antes de la versión 5.0.6 permite a un atacante con acceso físi... • https://github.com/0katz/CVE-2019-12476 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 6%CPEs: 100EXPL: 0CVE-2019-8346
https://notcve.org/view.php?id=CVE-2019-8346
24 May 2019 — In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token. En Zoho ManageEngine ADSelfService Plus versión 5.x hasta 5704, una vulnerabilidad de tipo cross-site Scripting (XSS) en el archivo authorization.do permite una manipulación no autenticada d... • https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 4%CPEs: 99EXPL: 0CVE-2019-11511
https://notcve.org/view.php?id=CVE-2019-11511
25 Apr 2019 — Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. Zoho ManageEngine ADSelfService Plus, en versiones anteriores del build 5708, es vulnerable a un XSS a través de la API de aplicaciones móviles. • https://www.manageengine.com/products/self-service-password/release-notes.html#5708 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 5%CPEs: 103EXPL: 0CVE-2019-7161
https://notcve.org/view.php?id=CVE-2019-7161
18 Mar 2019 — An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. Se ha descubierto un problema en Zoho ManageEngine ADSelfService Plus, en versiones 5.x hasta la Build 5704. Emplea claves de cifrado fijas para proteger la información, otorgando a un atacante la capacidad de descifrar cualquier dato protegido. • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-7161 • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 2%CPEs: 92EXPL: 0CVE-2018-20664
https://notcve.org/view.php?id=CVE-2018-20664
03 Jan 2019 — Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. Zoho ManageEngine ADSelfService Plus, en sus versiones 5.x antes del build 5701, tiene XEE (XML External Entity) mediante una licencia de producto subida. • https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20664 • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 10.0EPSS: 2%CPEs: 101EXPL: 0CVE-2019-3905
https://notcve.org/view.php?id=CVE-2019-3905
03 Jan 2019 — Zoho ManageEngine ADSelfService Plus 5.x before build 5703 has SSRF. Zoho ManageEngine ADSelfService Plus, en sus versiones 5.x antes del build 5703, tiene Server-Side Request Forgery (SSRF). • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-3905 • CWE-918: Server-Side Request Forgery (SSRF) •