Zoho Corp ManageEngine ADSelfService Plus 6.0
Approved changes feed: RSS · Atom
cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:*
part: a version: 6.0 update: -
| Vendor | Zohocorp (4f1ab088-ab0e-54ac-b0dc-2304879a7502) |
|---|---|
| Product | Manageengine Adselfservice Plus (3fbdb5d5-250e-50f0-93a4-67a4b1106c54) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from NVD CPE 2.0 feed |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
| No PURL mappings for this CPE yet. | ||
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2023-28342 |
vulnerable | 2026-06-03 14:51:08.866113 |
Details available
Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
Published: 2023-04-05T00:00:00.000Z
Updated: 2025-02-13T16:00:12.940Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-40539 |
vulnerable | 2026-06-03 14:45:24.375388 |
Details available
Zoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Published: 2021-09-07T16:06:58.000Z
Updated: 2025-10-21T23:25:35.374Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-28958 |
vulnerable | 2026-06-03 14:44:19.117203 |
Details available
Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.
Published: 2021-06-25T11:54:17.000Z
Updated: 2024-08-03T21:55:12.288Z Reference links |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2021-27214 |
vulnerable | 2026-06-03 14:44:09.689437 |
Details available
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
Published: 2021-02-19T18:39:28.000Z
Updated: 2024-08-03T20:40:47.379Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2020-11552 |
vulnerable | 2026-06-03 14:41:26.310473 |
Details available
An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick-client software is launched, which connects to a remote ADSelfService Plus server to facilitate self-service operations. An unauthenticated attacker having physical access to the host could trigger a security alert by supplying a self-signed SSL certificate to the client. The View Certificate option from the security alert allows an attacker to export a displayed certificate to a file. This can further cascade to a dialog that can open Explorer as SYSTEM. By navigating from Explorer to \windows\system32, cmd.exe can be launched as a SYSTEM.
Published: 2020-08-11T15:43:14.000Z
Updated: 2024-08-04T11:35:13.226Z Reference links
|
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.