Matt Dunn

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine Remote Access Plus versions prior to 10.1.2137.15 **Description** The issue allows guest users to view domain details, including the username and GUID of an administrator. **Recommendations** For versions prior to 10.1.2137.15, update to version 10.1.2137.15 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Zoho ManageEngine SupportCenter Plus versions prior to 11020 **Description** The issue allows Stored XSS in the request history. **Recommendations** For versions prior to 11020, update to version 11020 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** PRTG Network Monitor versions prior to 21.3.69.1333 **Description** The issue allows stored XSS via an unsanitized string imported from a `User Object` in a connected Active Directory instance. This occurs due to the lack of proper sanitization of the imported string. **Recommendations** For versions prior to 21.3.69.1333, update to version 21.3.69.1333 or later to resolve the issue. As a temporary workaround, consider restricting the import of unsanitized strings from connected Active Directory instances to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine Key Manager Plus versions prior to 6001 Description: The issue allows Stored XSS on the user-management page while importing malicious user details from AD. This occurs when malicious user details are imported, potentially leading to stored cross-site scripting attacks. Recommendations: For versions prior to 6001, update to version 6001 or later to resolve the issue. As a temporary workaround, consider restricting the import of user details from AD to minimize the risk of exploitation. Avoid using the user-management page for importing user details until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ADSelfService Plus versions prior to 6104 Description: The issue allows stored XSS on the "/webclient/index.html#/directory-search" user search page via the `e-mail address` field. This could potentially lead to malicious script execution when a user interacts with the affected page. Recommendations: For versions prior to 6104, update to version 6104 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/webclient/index.html#/directory-search" page until the update is applied. Avoid using the `e-mail address` field in the affected API endpoint until the issue is resolved.