CVE-2022-24681

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

Published: Apr 8, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-24681
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_adselfservice_plus	6.1-6100	6.1-6100.x
zohocorp / manageengine_adselfservice_plus	6.1-6103	6.1-6103.x
zohocorp / manageengine_adselfservice_plus	6.1	6.1.x
zohocorp / manageengine_adselfservice_plus	-	6.1
zohocorp / manageengine_adselfservice_plus	6.1-6101	6.1-6101.x
zohocorp / manageengine_adselfservice_plus	6.1-6102	6.1-6102.x
zohocorp / manageengine_adselfservice_plus	6.1-6104	6.1-6104.x
zohocorp / manageengine_adselfservice_plus	6.1-6105	6.1-6105.x
zohocorp / manageengine_adselfservice_plus	6.1-6106	6.1-6106.x
zohocorp / manageengine_adselfservice_plus	6.1-6113	6.1-6113.x
zohocorp / manageengine_adselfservice_plus	6.1-6107	6.1-6107.x
zohocorp / manageengine_adselfservice_plus	6.1-6108	6.1-6108.x
zohocorp / manageengine_adselfservice_plus	6.1-6109	6.1-6109.x
zohocorp / manageengine_adselfservice_plus	6.1-6110	6.1-6110.x
zohocorp / manageengine_adselfservice_plus	6.1-6111	6.1-6111.x
zohocorp / manageengine_adselfservice_plus	6.1-6115	6.1-6115.x
zohocorp / manageengine_adselfservice_plus	6.1-6112	6.1-6112.x
zohocorp / manageengine_adselfservice_plus	6.1-6114	6.1-6114.x
zohocorp / manageengine_adselfservice_plus	6.1-6120	6.1-6120.x
zohocorp / manageengine_adselfservice_plus	6.1-6116	6.1-6116.x
zohocorp / manageengine_adselfservice_plus	6.1-6117	6.1-6117.x
zohocorp / manageengine_adselfservice_plus	6.1-6118	6.1-6118.x
zohocorp / manageengine_adselfservice_plus	6.1-6119	6.1-6119.x

Vulnerability Database

289,697

CVE-2022-24681