Cross-Site Scripting (XSS) Vulnerability in Zoho ManageEngine ADSelfService Plus 5.x through 5704

Cross-Site Scripting (XSS) Vulnerability in Zoho ManageEngine ADSelfService Plus 5.x through 5704

CVE-2019-8346 · MEDIUM Severity

AV:N/AC:M/AU:N/C:N/I:P/A:N

In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

Learn more about our User Device Pen Test.