Marcin Ogorzelski

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions prior to 6112 **Description** The issue is related to a Server-Side Request Forgery (SSRF) vulnerability. SSRF is a type of attack where an attacker can trick a server into making requests to internal or external resources, potentially leading to unauthorized access or data exposure. **Recommendations** For versions prior to 6112, update to version 6112 or later to resolve the issue. As a temporary workaround, consider restricting access to sensitive resources and internal services to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ManageEngine ADSelfService Plus versions prior to 6112 **Description** The issue allows for mail spoofing. **Recommendations** For versions prior to 6112, update to version 6112 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions 6103 and prior **Description** The issue allows for admin portal access-restriction bypass. **Recommendations** For versions 6103 and prior, update to a version later than 6103 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions through 6102 **Description** The issue allows unauthenticated remote code execution in non-English editions. **Recommendations** For versions through 6102, update to a version that contains a fix for this issue to prevent unauthenticated remote code execution.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions 6103 and prior **Description** The issue is related to reflected XSS on the loadframe page. **Recommendations** For Zoho ManageEngine ADSelfService Plus versions 6103 and prior, update to a version later than 6103 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine ADSelfService Plus versions prior to 6103 **Description** The issue is related to CAPTCHA bypass due to improper parameter validation. **Recommendations** For versions prior to 6103, update to a version newer than 6103 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ADSelfService Plus versions prior to 6104 Description: The issue allows attackers to obtain sensitive information about the password-sync database application in rare situations. Recommendations: For versions prior to 6104, update to version 6104 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: IBM Security Identity Manager Adapters versions 6.0 through 7.0 Description: The issue is caused by improper bounds checking, leading to a heap-based buffer overflow. A remote authenticated attacker could exploit this to cause the server to crash. Recommendations: For versions 6.0 through 7.0, update to a version that includes the fix for the heap-based buffer overflow issue.

Name of the Vulnerable Software and Affected Versions: IBM Security Identity Manager Adapters versions 6.0 through 7.0 Description: The issue is caused by improper bounds checking, leading to a stack-based buffer overflow. A remote authenticated attacker could exploit this to cause the server to crash. Recommendations: For versions 6.0 and 7.0, update to a version that includes the fix for the improper bounds checking issue to prevent the stack-based buffer overflow. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: IBM Security Identity Manager Adapters versions 6.0 through 7.0 Description: The issue allows a remote authenticated attacker to conduct an LDAP injection by using a specially crafted request, potentially leading to account takeover. Recommendations: For versions 6.0 through 7.0, consider restricting access to the LDAP functionality until a patch is available. As a temporary workaround, avoid using specially crafted requests in the affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ADSelfService Plus versions through 6101 Description: The issue allows for unauthenticated Remote Code Execution when changing the password. Recommendations: For versions through 6101, update to a version that contains a fix for this issue to prevent unauthenticated Remote Code Execution.