CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 1CVE-2019-12476
https://notcve.org/view.php?id=CVE-2019-12476
An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input. Una vulnerabilidad de omisión de identificación en la funcionalidad de restablecimiento de contraseña en Zoho ManageEngine ADSelfService Plus antes de la versión 5.0.6 permite a un atacante con acceso físico obtener una shell con privilegios de SISTEMA a través del navegador restringido de clientes densos. El ataque usa una larga secuencia de entradas de teclado creadas. • https://github.com/0katz/CVE-2019-12476 http://www.securityfocus.com/bid/108813 https://gist.github.com/0katz/54167ba30ea361f3776e269bb7b1afb3 • CWE-640: Weak Password Recovery Mechanism for Forgotten Password •
CVSS: 6.1EPSS: 0%CPEs: 100EXPL: 0CVE-2019-8346
https://notcve.org/view.php?id=CVE-2019-8346
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token. En Zoho ManageEngine ADSelfService Plus versión 5.x hasta 5704, una vulnerabilidad de tipo cross-site Scripting (XSS) en el archivo authorization.do permite una manipulación no autenticada del código JavaScript inyectando el formulario HTTP en el parametro adscsrf. Un atacante puede utilizar esto para capturar el restablecimiento de la contraseña de autoservicio AD de un usuario y el token MFA. • https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 99EXPL: 0CVE-2019-11511
https://notcve.org/view.php?id=CVE-2019-11511
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. Zoho ManageEngine ADSelfService Plus, en versiones anteriores del build 5708, es vulnerable a un XSS a través de la API de aplicaciones móviles. • https://www.manageengine.com/products/self-service-password/release-notes.html#5708 https://zeroauth.ltd/blog/2019/05/26/cve-2019-11511-zoho-manageengine-adselfservice-plus-xss • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 103EXPL: 0CVE-2019-7161
https://notcve.org/view.php?id=CVE-2019-7161
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. Se ha descubierto un problema en Zoho ManageEngine ADSelfService Plus, en versiones 5.x hasta la Build 5704. Emplea claves de cifrado fijas para proteger la información, otorgando a un atacante la capacidad de descifrar cualquier dato protegido. • https://www.excellium-services.com/cert-xlm-advisory/cve-2019-7161 https://www.manageengine.com/products/self-service-password/release-notes.html • CWE-798: Use of Hard-coded Credentials •
CVSS: 9.8EPSS: 1%CPEs: 92EXPL: 0CVE-2018-20664
https://notcve.org/view.php?id=CVE-2018-20664
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license. Zoho ManageEngine ADSelfService Plus, en sus versiones 5.x antes del build 5701, tiene XEE (XML External Entity) mediante una licencia de producto subida. • https://www.excellium-services.com/cert-xlm-advisory/cve-2018-20664 https://www.manageengine.com/products/self-service-password/release-notes.html#5701 • CWE-611: Improper Restriction of XML External Entity Reference •