Manageengine Adselfservice Plus
by Zohocorp
CVEs (24)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-2740 | Hig | 0.55 | 8.4 | 0.02 | May 21, 2026 | Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency. | ||
| CVE-2026-1367 | Hig | 0.54 | 8.3 | 0.08 | Feb 23, 2026 | Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option. | ||
| CVE-2010-3274 | 0.05 | — | 0.21 | Feb 17, 2011 | Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or… | |||
| CVE-2022-29457 | 0.04 | — | 0.08 | Apr 18, 2022 | Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps. | |||
| CVE-2018-20484 | 0.03 | — | 0.05 | Dec 26, 2018 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation. | |||
| CVE-2018-20485 | 0.03 | — | 0.05 | Dec 26, 2018 | Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature. | |||
| CVE-2011-5105 | 0.03 | — | 0.06 | Aug 23, 2012 | Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than… | |||
| CVE-2010-3272 | 0.03 | — | 0.04 | Feb 17, 2011 | accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)… | |||
| CVE-2018-5353 | 0.01 | — | 0.08 | Sep 29, 2020 | The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable… | |||
| CVE-2019-7162 | 0.01 | — | 0.04 | Dec 31, 2019 | An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation. | |||
| CVE-2025-11250 | 0.00 | — | 0.01 | Jan 13, 2026 | Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations. | |||
| CVE-2025-3833 | 0.00 | — | 0.28 | May 14, 2025 | Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports. | |||
| CVE-2025-1723 | 0.00 | — | 0.01 | Mar 3, 2025 | Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug. | |||
| CVE-2024-27310 | 0.00 | — | 0.02 | May 27, 2024 | Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input. | |||
| CVE-2022-36413 | 0.00 | — | 0.03 | Mar 23, 2023 | Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications. | |||
| CVE-2019-18781 | 0.00 | — | 0.02 | Dec 18, 2019 | An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site. | |||
| CVE-2019-18411 | 0.00 | — | 0.02 | Nov 6, 2019 | Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the… | |||
| CVE-2019-12876 | 0.00 | — | 0.05 | Jul 17, 2019 | Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System. | |||
| CVE-2019-11511 | 0.00 | — | 0.02 | Apr 25, 2019 | Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API. | |||
| CVE-2019-7161 | 0.00 | — | 0.06 | Mar 18, 2019 | An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data. |
- risk 0.55cvss 8.4epss 0.02
Zohocorp ManageEngine ADSelfService Plus version before 6525, DataSecurity Plus before 6264 and RecoveryManager Plus before 6313 are vulnerable to Authenticated Remote code execution in the agent machines due to the bug in the 3rd party dependency.
- risk 0.54cvss 8.3epss 0.08
Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.
- CVE-2010-3274Feb 17, 2011risk 0.05cvss —epss 0.21
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allow remote attackers to inject arbitrary web script or HTML via the searchString parameter in a (1) showList or…
- CVE-2022-29457Apr 18, 2022risk 0.04cvss —epss 0.08
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
- CVE-2018-20484Dec 26, 2018risk 0.03cvss —epss 0.05
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
- CVE-2018-20485Dec 26, 2018risk 0.03cvss —epss 0.05
Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the employee search feature.
- CVE-2011-5105Aug 23, 2012risk 0.03cvss —epss 0.06
Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow remote attackers to inject arbitrary web script or HTML via the (1) searchType and (2) searchString parameters, a different vulnerability than…
- CVE-2010-3272Feb 17, 2011risk 0.03cvss —epss 0.04
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1)…
- CVE-2018-5353Sep 29, 2020risk 0.01cvss —epss 0.08
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable…
- CVE-2019-7162Dec 31, 2019risk 0.01cvss —epss 0.04
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to retrieve internal information from the system and modify the product installation.
- CVE-2025-11250Jan 13, 2026risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
- CVE-2025-3833May 14, 2025risk 0.00cvss —epss 0.28
Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
- CVE-2025-1723Mar 3, 2025risk 0.00cvss —epss 0.01
Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.
- CVE-2024-27310May 27, 2024risk 0.00cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
- CVE-2022-36413Mar 23, 2023risk 0.00cvss —epss 0.03
Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
- CVE-2019-18781Dec 18, 2019risk 0.00cvss —epss 0.02
An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users who click on a crafted link to be sent to a specified external site.
- CVE-2019-18411Nov 6, 2019risk 0.00cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the…
- CVE-2019-12876Jul 17, 2019risk 0.00cvss —epss 0.05
Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege Escalation from low level privileges to System.
- CVE-2019-11511Apr 25, 2019risk 0.00cvss —epss 0.02
Zoho ManageEngine ADSelfService Plus before build 5708 has XSS via the mobile app API.
- CVE-2019-7161Mar 18, 2019risk 0.00cvss —epss 0.06
An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect information, giving the capacity for an attacker to decipher any protected data.
Page 1 of 2