Zohocorp Manageengine Adselfservice Plus — known CVE vulnerabilities
Every CVE whose affected-product data names Zohocorp Manageengine Adselfservice Plus, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVE-2020-11552 — CVSS 9.8 (critical): An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce…
CVE-2023-35854 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session…
CVE-2018-5353 — CVSS 9.8 (critical): The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and…
CVE-2021-37422 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus 6111 and prior is vulnerable to SQL Injection while linking the databases.
CVE-2021-37421 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus 6103 and prior is vulnerable to admin portal access-restriction bypass.
CVE-2021-37417 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus version 6103 and prior allows CAPTCHA bypass due to improper parameter validation.
CVE-2020-24786 — CVSS 9.8 (critical): An issue was discovered in Zoho ManageEngine Exchange Reporter Plus before build number 5510, AD360 before build number 4228, ADSelfService…
CVE-2021-33055 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus through 6102 allows unauthenticated remote code execution in non-English editions.
CVE-2021-28958 — CVSS 9.8 (critical): Zoho ManageEngine ADSelfService Plus through 6101 is vulnerable to unauthenticated Remote Code Execution while changing the password.
CVE-2025-11250 — CVSS 9.1 (critical): Zohocorp ManageEngine ADSelfService Plus versions before 6519 are vulnerable to Authentication Bypass due to improper filter configurations.
CVE-2019-7162 — CVSS 9.1 (critical): An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.6 Build 5607. An exposed service allows an unauthenticated person to…
CVE-2022-36413 — CVSS 9.1 (critical): Zoho ManageEngine ADSelfService Plus through 6203 is vulnerable to a brute-force attack that leads to a password reset on IDM applications.
CVE-2022-29457 — CVSS 8.8 (high): Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash…
CVE-2019-18411 — CVSS 8.8 (high): Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this…
CVE-2021-33256 — CVSS 8.8 (high): A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an…
CVE-2024-0252 — CVSS 8.8 (high): ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the…
CVE-2025-3833 — CVSS 8.1 (high): Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
CVE-2025-1723 — CVSS 8.1 (high): Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid…
CVE-2022-34829 — CVSS 7.5 (high): Zoho ManageEngine ADSelfService Plus before 6203 allows a denial of service (application restart) via a crafted payload to the Mobile App…
CVE-2023-28342 — CVSS 7.5 (high): Zoho ManageEngine ADSelfService Plus before 6218 allows anyone to conduct a Denial-of-Service attack via the Mobile App Authentication API.
CVE-2019-7161 — CVSS 7.5 (high): An issue was discovered in Zoho ManageEngine ADSelfService Plus 5.x through build 5704. It uses fixed ciphering keys to protect…
CVE-2019-12876 — CVSS 7.3 (high): Zoho ManageEngine ADManager Plus 6.6.5, ADSelfService Plus 5.7, and DesktopCentral 10.0.380 have Insecure Permissions, leading to Privilege…
CVE-2019-12476 — CVSS 6.8 (medium): An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an…
CVE-2023-35719 — CVSS 6.8 (medium): ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This…
CVE-2021-27956 — CVSS 6.1 (medium): Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the…
CVE-2019-18781 — CVSS 6.1 (medium): An open redirect vulnerability was discovered in Zoho ManageEngine ADSelfService Plus 5.x before 5809 that allows attackers to force users…
CVE-2021-37416 — CVSS 6.1 (medium): Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
CVE-2018-20484 — CVSS 6.1 (medium): Zoho ManageEngine ADSelfService Plus 5.7 before build 5702 has XSS in the self-update layout implementation.
CVE-2022-24681 — CVSS 6.1 (medium): Zoho ManageEngine ADSelfService Plus before 6121 allows XSS via the welcome name attribute to the Reset Password, Unlock Account, or User…
CVE-2021-27214 — CVSS 6.1 (medium): A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows…
CVE-2019-8346 — CVSS 6.1 (medium): In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an…
CVE-2021-31874 — CVSS 5.9 (medium): Zoho ManageEngine ADSelfService Plus before 6104, in rare situations, allows attackers to obtain sensitive information about the…
CVE-2023-6105 — CVSS 5.5 (medium): An information disclosure vulnerability exists in multiple ManageEngine products that can result in encryption keys being exposed. A…
CVE-2021-20147 — CVSS 5.3 (medium): ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the…
CVE-2022-28987 — CVSS 5.3 (medium): Zoho ManageEngine ADSelfService Plus before 6202 allows attackers to perform username enumeration via a crafted POST request to…
CVE-2024-27310 — CVSS 5.3 (medium): Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
CVE-2010-3273 — CVSS 5.0 (medium): ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 allows remote attackers to reset user passwords, and consequently obtain access…
CVE-2011-5105 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in ZOHO ManageEngine ADSelfService Plus 4.5 Build 4521 allow…
CVE-2014-3779 — CVSS 4.3 (medium): Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine ADSelfService Plus before 5.2 Build 5202 allows remote attackers to inject…
CVE-2021-20148 — CVSS 4.3 (medium): ManageEngine ADSelfService Plus below build 6116 stores the password policy file for each domain under the html/ web root with a…
CVE-2010-3272 — CVSS 4.3 (medium): accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it…
CVE-2010-3274 — CVSS 4.3 (medium): Multiple cross-site scripting (XSS) vulnerabilities in EmployeeSearch.cc in the Employee Search Engine in ZOHO ManageEngine ADSelfService…