ManageEngine ADSelfService Plus - Stored Cross-Site Scripting (CVE-2022-24681)
- Severity
- CVSSv3 Score
- 6.1
- Exploitable with Sniper
- No
- Vulnerability description
ManageEngine ADSelfService Plus server is affected by a Stored Cross-Site Scripting (XSS) vulnerability, located in the /accounts/authVerify endpoint which is used for the forgot password, change password, and unlock account functionalities. The root cause of this vulnerability is the lack of validation of data from an Active Directory user. If an attacker can modify users information from the Active Directory, it can inject JavaScript code and trigger this vulnerability when the authVerify page is accessed.
- Risk description
The risk exists that an attacker could hijack user accounts, steal credentials, exfiltrate sensitive data or extract browser-based information.
- Recommendation
Upgrade the ManageEngine ADSelfService Plus service to a version equal to or higher than 6121.
- Detectable with
- Network Scanner
- Vuln date
- Feb 2022
- Published at
- Updated at
- Software Type
- Hypervisor
- Vendor
- ManageEngine
- Product
- ADSelfService Plus
- Codename
- Not available
