CVE-2023-35854

The CVE-2023-35854 vulnerability affects Zoho ManageEngine ADSelfService Plus up to and including version 6113, via an authentication bypass in a critical function that can enable an attacker to steal a domain controller session token and impersonate a domain administrator. Affected component: au...

CVE-2023-35854

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found...

CVE-2023-28342

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API...

CVE-2023-28342

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API...

Authentication flaw

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API...

PT-2023-7423 · Zoho · Zoho Manageengine Admanager Plus +1

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ADManager Plus affected versions not specified Zoho ManageEngine ADSelfService Plus versions prior to 6218 Description: The issue is related to insufficient input validation in the DomainUserSSPLogonAuth method of the Zoho...

CVE-2023-28342

Zoho ManageEngine ADSelfService Plus pre-6218 is affected by a denial-of-service vulnerability via the Mobile App Authentication API. Root cause cited as improper input handling/validation in the Mobile App Authentication API flow, enabling unauthenticated remote DoS. Public sources confirm the e...

CVE-2023-28342

Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API...

CVE-2022-36413

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications...

Default credentials

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications...

CVE-2022-36413

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications...

CVE-2022-36413

Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications...

PT-2023-13490 · Zoho · Zoho Manageengine Adselfservice Plus

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ADSelfService Plus versions through 6203 Description: The issue allows for a brute-force attack, leading to a password reset on IDM applications. This is a result of a weakness in the password reset mechanism, which can be...

ManageEngine ADSelfService Plus < build 6122 Command Injection

According to its self-reported version, the ManageEngine ADSelfService Plus application running on the remote host is prior to build 6122. It is, therefore, affected by a command injection vulnerability which allows a remote authenticated administrator to execute arbitrary operating OS commands a...

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

The U.S. Cybersecurity and Infrastructure Security Agency CISA has added three security flaws to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 CVSS score: 9.8 - Teclib GLPI Remote Code Execution...

CISA's KEV Catalog Updated with 3 New Flaws Threatening IT Management Systems

The U.S. Cybersecurity and Infrastructure Security Agency CISA has added three security flaws to its Known Exploited Vulnerabilities KEV catalog, citing evidence of active exploitation. The list of vulnerabilities is below - CVE-2022-35914 CVSS score: 9.8 - Teclib GLPI Remote Code Execution...

ManageEngine ADSelfService Plus Unauthenticated SAML Remote Code Execution Exploit

This Metasploit module exploits an unauthenticated remote code execution vulnerability that affects Zoho ManageEngine AdSelfService Plus versions 6210 and below. Due to a dependency to an outdated library Apache Santuario version 1.4.1, it is possible to execute arbitrary code by providing a...

ManageEngine ADSelfService Plus Unauthenticated SAML Remote Code Execution

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'ManageEngine ADSelfService Plus Unauthenticated SAML RCE', 'Description' = %q This exploits an unauthenticated remote code execution vulnerabilit...

CVE-2022-34829

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service application restart via a crafted payload to the Mobile App Deployment API...

CVE-2022-34829

Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service application restart via a crafted payload to the Mobile App Deployment API...