CVE-2022-24681

MEDIUM NUCLEI

Zoho ManageEngine ADSelfService Plus <6.12.1 - XSS

Title source: llm

Exploitation Summary

CVE-2022-24681 has a Nuclei detection template available — see the Nuclei card below for the Shodan/FOFA recon queries.

Description

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

Nuclei Templates (1)

ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting

MEDIUMby Open-Sec

Shodan: http.title:"manageengine" || http.title:"adselfservice plus"

FOFA: title="manageengine" || title="adselfservice plus"

References (3)

Core 3

Core References

Product x_refsource_misc

https://manageengine.com

Patch, Vendor Advisory x_refsource_confirm

https://www.manageengine.com/products/self-service-password/kb/CVE-2022-24681.html

Exploit, Patch, Third Party Advisory x_refsource_misc

https://raxis.com/blog/cve-2022-24681

Scores

CVSS v3 6.1

EPSS 0.0355

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

zohocorp/manageengine_adselfservice_plus 6.1 (22 CPE variants)

zohocorp/manageengine_adselfservice_plus < 6.1

Published Apr 07, 2022

Tracked Since Feb 18, 2026