CVE-2019-8346

MEDIUM

ManageEngine ADSelfService Plus 5.x-5704 - Unauthenticated Stored Cross-Site Scripting via adscsrf Parameter

Title source: llm

Description

In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

References (1)

Core 1

Core References

Release Notes, Vendor Advisory x_refsource_misc

https://www.manageengine.com/products/self-service-password/release-notes.html

Scores

CVSS v3 6.1

EPSS 0.0316

EPSS Percentile 87.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

zohocorp/manageengine_adselfservice_plus 5.0 5000 (12 CPE variants)

zohocorp/manageengine_adselfservice_plus 5.1 5100 (16 CPE variants)

zohocorp/manageengine_adselfservice_plus 5.2 5200 (8 CPE variants)

zohocorp/manageengine_adselfservice_plus 5.3 5300 (14 CPE variants)

Published May 24, 2019

Tracked Since Feb 18, 2026