Cross-Site Scripting Vulnerability in Zoho ManageEngine ADSelfService Plus
CVE-2022-24681

6.1MEDIUM

Key Information:

Vendor

Zohocorp
Status
Manageengine Adselfservice Plus
Vendor
CVE Published:
7 April 2022

What is CVE-2022-24681?

A vulnerability exists in Zoho ManageEngine ADSelfService Plus prior to version 6121, where an attacker can exploit the welcome name attribute to execute a cross-site scripting attack. This could impact the Reset Password, Unlock Account, or User Must Change Password screens, potentially allowing for malicious scripts to be run in the browser of unsuspecting users.

References

https://manageengine.com
x_refsource_MISC
https://www.manageengine.com/products/self-service-passwo...
x_refsource_CONFIRM
https://raxis.com/blog/cve-2022-24681
x_refsource_MISC

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.