Main Vulnerability Database Vulnerabilities #VU63623

Information disclosure in Zoho ManageEngine ADSelfService Plus - #VU63623

Published: May 25, 2022

Vulnerability identifier: #VU63623

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Zoho ManageEngine ADSelfService Plus

Software vendor:
Zoho Corporation

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the username information in the request URL is sent to the ADSelfService Plus server upon successful IdP authentication. A remote attacker can obtain this information in certain cases.

Remediation

Install updates from vendor's website.

External links

https://www.manageengine.com/products/self-service-password/release-notes.html#6200

Information disclosure in Zoho ManageEngine ADSelfService Plus - #VU63623

Description

Remediation

External links

Please verify you're human