QID 378403
Date Published: 2023-04-20
QID 378403: Zoho ManageEngine ADSelfService Plus Cross-Site Scripting (XSS) Vulnerability
ManageEngine ADSelfService Plus is a secure, web-based, end-user password reset management and single sign-on solution that helps domain users to perform self-service password reset, self-service account unlock, employee self-update of personal details (e.g., mobile numbers and photos) in Microsoft Windows Active Directory.
CVE-2022-24681 refers to a security vulnerability found in ManageEngine ADSelfService Plus that allowed XSS script execution on the reset password, unlock account, and user must change password pages. The vulnerability was triggered by a script inserted by the user while editing their profile information in the attribute field for the welcome name.
Affected Version:
Zoho ManageEngine ADSelfService Plus build 6120 and below
QID Detection Logic:
Authenticated : Checks for vulnerable version of ManageEngine ADSelfService Plus build 6120 and below
Successful exploitation of this vulnerability affects only the respective user or anyone attempting to impersonate that user.
Customers are advised to visit Zoho ManageEngine ADSelfService Plus Security Advisory for updates pertaining this vulnerability.
- Zoho ManageEngine ADSelfService Plus Security Advisory -
www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html
CVEs related to QID 378403
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| Zoho ManageEngine ADSelfService Plus Security Advisory |
www.manageengine.com/products/self-service-password/advisory/CVE-2022-24681.html |