Filtered by vendor Zohocorp Subscriptions
Filtered by product Manageengine Adselfservice Plus Subscriptions
Total 48 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-27310 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-10-07 5.3 Medium
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
CVE-2023-35719 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-09-26 6.8 Medium
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
CVE-2022-47966 1 Zohocorp 22 Manageengine Access Manager Plus, Manageengine Ad360, Manageengine Adaudit Plus and 19 more 2024-09-16 9.8 Critical
Multiple Zoho ManageEngine on-premise products, such as ServiceDesk Plus through 14003, allow remote code execution due to use of Apache Santuario xmlsec (aka XML Security for Java) 1.4.1, because the xmlsec XSLT features, by design in that version, make the application responsible for certain security protections, and the ManageEngine applications did not provide those protections. This affects Access Manager Plus before 4308, Active Directory 360 before 4310, ADAudit Plus before 7081, ADManager Plus before 7162, ADSelfService Plus before 6211, Analytics Plus before 5150, Application Control Plus before 10.1.2220.18, Asset Explorer before 6983, Browser Security Plus before 11.1.2238.6, Device Control Plus before 10.1.2220.18, Endpoint Central before 10.1.2228.11, Endpoint Central MSP before 10.1.2228.11, Endpoint DLP before 10.1.2137.6, Key Manager Plus before 6401, OS Deployer before 1.1.2243.1, PAM 360 before 5713, Password Manager Pro before 12124, Patch Manager Plus before 10.1.2220.18, Remote Access Plus before 10.1.2228.11, Remote Monitoring and Management (RMM) before 10.1.41. ServiceDesk Plus before 14004, ServiceDesk Plus MSP before 13001, SupportCenter Plus before 11026, and Vulnerability Manager Plus before 10.1.2220.18. Exploitation is only possible if SAML SSO has ever been configured for a product (for some products, exploitation requires that SAML SSO is currently active).
CVE-2010-3272 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-07 N/A
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action.
CVE-2010-3273 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-07 N/A
ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, by providing a user id to accounts/ValidateUser, and then providing a new password to accounts/ResetResult.
CVE-2010-3274 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-07 N/A
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or (2) Search action.
CVE-2011-5105 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-07 N/A
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than CVE-2010-3274.
CVE-2014-3779 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-06 N/A
Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject arbitrary web script or HTML via the name parameter to GroupSubscription.do.
CVE-2018-20664 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-05 N/A
Zoho ManageEngine ADSelfService Plus 5.x before build 5701 has XXE via an uploaded product license.
CVE-2018-20485 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-05 N/A
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
CVE-2018-20484 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-05 N/A
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
CVE-2018-5353 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-05 9.8 Critical
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
CVE-2019-18781 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-05 6.1 Medium
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.
CVE-2019-18411 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-05 8.8 High
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.
CVE-2019-12876 1 Zohocorp 3 Manageengine Admanager Plus, Manageengine Adselfservice Plus, Manageengine Desktop Central 2024-08-04 N/A
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
CVE-2019-12476 2 Microsoft, Zohocorp 2 Windows, Manageengine Adselfservice Plus 2024-08-04 N/A
An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.
CVE-2019-11511 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-04 N/A
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
CVE-2019-8346 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-04 N/A
In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.
CVE-2019-7162 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-04 9.1 Critical
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
CVE-2019-7161 1 Zohocorp 1 Manageengine Adselfservice Plus 2024-08-04 N/A
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.