CVE-2022-24681

Exploit

EPSS 21.61%
Published 07.04.2022 22:15:07
Last modified 21.11.2024 06:50:51
Source cve@mitre.org
Teams watchlist Login
Open Login

Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User Must Change Password screen.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Adselfservice Plus Version < 6.1

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update-

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6100

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6101

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6102

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6103

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6104

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6105

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6106

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6107

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6108

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6109

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6110

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6111

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6112

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6113

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6114

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6115

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6116

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6117

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6118

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6119

Zohocorp ≫ Manageengine Adselfservice Plus Version6.1 Update6120

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	21.61%	0.955

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvd@nist.gov	4.3	8.6	2.9	AV:N/AC:M/Au:N/C:N/I:P/A:N

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://manageengine.com

Product

https://raxis.com/blog/cve-2022-24681

Patch

Third Party Advisory

Exploit

https://www.manageengine.com/products/self-service-password/kb/CVE-2022-24681.html

Patch

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2022-24681

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24681

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24681

EUVD