A security vulnerability exists in ZOHO ManageEngine ADSelfService Plus, ZOHO’s integrated self-service password management and single sign-on solution for Active Directory and cloud applications. The vulnerability is caused by ManageEngine ADSelfService Plus under build 6116 storing the password policy file for each domain in the html/ web root directory and using predictable file names based on the domain name. When ADSSP is configured with multiple Windows domains, a user from one domain can obtain the password policy for another domain by authenticating to the service and then sending a request specifying the password policy file for the other domain. No details of the vulnerability are currently available.