CVE-2019-18411
HIGHManageEngine ADSelfService Plus 5.x-5803 - Cross-Site Request Forgery on Profile Information Page
Title source: llmDescription
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://gist.github.com/aliceicl/e32fb4a17277c7db9e0256185ac03dae
Scores
CVSS v3
8.8
EPSS
0.0012
EPSS Percentile
30.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (4)
zohocorp/manageengine_adselfservice_plus
5.0 5000 (12 CPE variants)
zohocorp/manageengine_adselfservice_plus
5.1 5100 (16 CPE variants)
zohocorp/manageengine_adselfservice_plus
5.2 5200 (8 CPE variants)
zohocorp/manageengine_adselfservice_plus
5.3 5300 (14 CPE variants)
Published
Nov 06, 2019
Tracked Since
Feb 18, 2026