Ernesto Alvarez

**Name of the Vulnerable Software and Affected Versions** ManageEngine ADSelfService Plus versions prior to 4.5 Build 4500 **Description** The issue concerns the security-questions implementation in ManageEngine ADSelfService Plus, where the "accounts/ValidateAnswers" endpoint is vulnerable to password reset attacks. Remote attackers can exploit this by modifying the `Hide Captcha` or `quesList` parameter in a `validateAll` action, allowing them to reset user passwords and gain access to arbitrary user accounts. **Recommendations** For versions prior to 4.5 Build 4500, update to version 4.5 Build 4500 or later to resolve the issue. As a temporary workaround, consider restricting access to the "accounts/ValidateAnswers" endpoint or disabling the security-questions feature until a patch is applied. Avoid using the `Hide Captcha` or `quesList` parameter in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ManageEngine ADSelfService Plus versions prior to 4.5 Build 4500 **Description** The issue allows remote attackers to reset user passwords by providing a `user id` to "accounts/ValidateUser" and then a new password to "accounts/ResetResult", which can lead to access to arbitrary user accounts. **Recommendations** For versions prior to 4.5 Build 4500, update to version 4.5 Build 4500 or later to resolve the issue. As a temporary workaround, consider restricting access to the "accounts/ValidateUser" and "accounts/ResetResult" API endpoints until a patch is applied. Avoid using the `user id` parameter in the affected API endpoints until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ZOHO ManageEngine ADSelfService Plus versions prior to 4.5 Build 4500 **Description** The issue concerns multiple cross-site scripting (XSS) vulnerabilities in the Employee Search Engine of ZOHO ManageEngine ADSelfService Plus. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML via the `searchString` parameter in specific actions, including showList and Search actions. **Recommendations** For versions prior to 4.5 Build 4500, update to version 4.5 Build 4500 or later to resolve the issue. As a temporary workaround, consider restricting access to the Employee Search Engine or avoiding the use of the `searchString` parameter in the affected actions until the update is applied.