CVE-2022-24681

MEDIUM NUCLEI

Zoho ManageEngine ADSelfService Plus <6.12.1 - XSS

Title source: llm

Description

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

Nuclei Templates (1)

ManageEngine ADSelfService Plus <6121 - Stored Cross-Site Scripting

MEDIUMby Open-Sec

Shodan: http.title:"manageengine" || http.title:"adselfservice plus"

FOFA: title="manageengine" || title="adselfservice plus"

References (3)

[Product] https://manageengine.com

[Patch, Vendor Advisory] https://www.manageengine.com/products/self-service-password/kb/CVE-2022-24681.html

[Exploit, Patch, Third Party Advisory] https://raxis.com/blog/cve-2022-24681

Scores

CVSS v3 6.1

EPSS 0.2341

EPSS Percentile 96.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

zohocorp/manageengine_adselfservice_plus 6.1 (22 CPE variants)

zohocorp/manageengine_adselfservice_plus < 6.1

Published Apr 07, 2022

Tracked Since Feb 18, 2026