Filtered by vendor Zohocorp
Subscriptions
Filtered by product Manageengine Adselfservice Plus
Subscriptions
Total
47 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2020-11552 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM. | ||||
CVE-2020-11518 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus before 5815 allows unauthenticated remote code execution. | ||||
CVE-2021-40539 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution. | ||||
CVE-2021-37417 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation. | ||||
CVE-2021-37423 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to linked applications takeover. | ||||
CVE-2021-37422 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases. | ||||
CVE-2021-37416 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 6.1 Medium |
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page. | ||||
CVE-2021-37421 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass. | ||||
CVE-2021-33256 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-04 | 8.8 High |
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side. | ||||
CVE-2021-33055 | 2 Microsoft, Zohocorp | 2 Windows, Manageengine Adselfservice Plus | 2024-08-03 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions. | ||||
CVE-2021-31874 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 5.9 Medium |
Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the password-sync database application. | ||||
CVE-2021-28958 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 9.8 Critical |
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password. | ||||
CVE-2021-27956 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 6.1 Medium |
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field. | ||||
CVE-2021-27214 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 6.1 Medium |
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905. | ||||
CVE-2021-20147 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 5.3 Medium |
ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists. | ||||
CVE-2021-20148 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 4.3 Medium |
ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a predictable filename based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file of the other domain. | ||||
CVE-2022-36413 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 9.1 Critical |
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. | ||||
CVE-2022-34829 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 7.5 High |
Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App Deployment API. | ||||
CVE-2022-29457 | 1 Zohocorp | 4 Manageengine Adaudit Plus, Manageengine Admanager Plus, Manageengine Adselfservice Plus and 1 more | 2024-08-03 | 8.8 High |
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. | ||||
CVE-2022-28987 | 1 Zohocorp | 1 Manageengine Adselfservice Plus | 2024-08-03 | 5.3 Medium |
Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to /ServletAPI/accounts/login. |