9.8
CVE-2021-40539
- EPSS 94.42%
- Veröffentlicht 07.09.2021 17:15:07
- Zuletzt bearbeitet 05.11.2025 19:13:20
- Quelle cve@mitre.org
- CVE-Watchlists
- Unerledigt
LoginZoho ManageEngine ADSelfService Plus version 6113 and prior is vulnerable to REST API authentication bypass with resultant remote code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Zohocorp ≫ Manageengine Adselfservice Plus Version < 6.1
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update-
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6100
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6101
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6102
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6103
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6104
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6105
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6106
Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6113
03.11.2021: CISA Known Exploited Vulnerabilities (KEV) Catalog
Zoho ManageEngine ADSelfService Plus Authentication Bypass Vulnerability
SchwachstelleZoho ManageEngine ADSelfService Plus contains an authentication bypass vulnerability affecting the REST API URLs which allow for remote code execution.
BeschreibungApply updates per vendor instructions.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 94.42% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-706 Use of Incorrectly-Resolved Name or Reference
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.