PT-2022-16796 · Zoho · Zoho Manageengine Adselfservice Plus
Matt
·
Published
2022-04-07
·
Updated
2022-10-06
·
CVE-2022-24681
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine ADSelfService Plus versions prior to 6121
Description
The issue allows for XSS via the
welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen. This can be exploited by manipulating the welcome name attribute.Recommendations
For versions prior to 6121, update to version 6121 or later to resolve the issue. As a temporary workaround, consider restricting access to the Reset Password, Unlock Account, or User Must Change Password screens until the update is applied. Avoid using the
welcome name attribute in these screens until the issue is resolved.Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Zoho Manageengine Adselfservice Plus