high
8.8
CWE
352
Advisory Published
Updated

CVE-2019-18411: CSRF

First published: Wed Nov 06 2019(Updated: )

Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone, unintentionally. Attackers could use the reset password function and control the system to send the authentication code back to the channel that the attackers own.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
ADSelfService Plus=5.0-5000
ADSelfService Plus=5.0-5001
ADSelfService Plus=5.0-5002
ADSelfService Plus=5.0-5010
ADSelfService Plus=5.0-5011
ADSelfService Plus=5.0-5020
ADSelfService Plus=5.0-5021
ADSelfService Plus=5.0-5022
ADSelfService Plus=5.0-5030
ADSelfService Plus=5.0-5032
ADSelfService Plus=5.0-5040
ADSelfService Plus=5.0-5041
ADSelfService Plus=5.1-5100
ADSelfService Plus=5.1-5101
ADSelfService Plus=5.1-5102
ADSelfService Plus=5.1-5103
ADSelfService Plus=5.1-5104
ADSelfService Plus=5.1-5105
ADSelfService Plus=5.1-5106
ADSelfService Plus=5.1-5107
ADSelfService Plus=5.1-5108
ADSelfService Plus=5.1-5109
ADSelfService Plus=5.1-5110
ADSelfService Plus=5.1-5111
ADSelfService Plus=5.1-5112
ADSelfService Plus=5.1-5113
ADSelfService Plus=5.1-5114
ADSelfService Plus=5.1-5115
ADSelfService Plus=5.2-5200
ADSelfService Plus=5.2-5201
ADSelfService Plus=5.2-5202
ADSelfService Plus=5.2-5203
ADSelfService Plus=5.2-5204
ADSelfService Plus=5.2-5205
ADSelfService Plus=5.2-5206
ADSelfService Plus=5.2-5207
ADSelfService Plus=5.3-5300
ADSelfService Plus=5.3-5301
ADSelfService Plus=5.3-5302
ADSelfService Plus=5.3-5303
ADSelfService Plus=5.3-5304
ADSelfService Plus=5.3-5305
ADSelfService Plus=5.3-5306
ADSelfService Plus=5.3-5307
ADSelfService Plus=5.3-5308
ADSelfService Plus=5.3-5309
ADSelfService Plus=5.3-5310
ADSelfService Plus=5.3-5311
ADSelfService Plus=5.3-5312
ADSelfService Plus=5.3-5313
ADSelfService Plus=5.3-5314
ADSelfService Plus=5.3-5315
ADSelfService Plus=5.3-5316
ADSelfService Plus=5.3-5317
ADSelfService Plus=5.3-5318
ADSelfService Plus=5.3-5319
ADSelfService Plus=5.3-5320
ADSelfService Plus=5.3-5321
ADSelfService Plus=5.3-5322
ADSelfService Plus=5.3-5323
ADSelfService Plus=5.3-5324
ADSelfService Plus=5.3-5325
ADSelfService Plus=5.3-5326
ADSelfService Plus=5.3-5327
ADSelfService Plus=5.3-5328
ADSelfService Plus=5.3-5329
ADSelfService Plus=5.3-5330
ADSelfService Plus=5.4-5400
ADSelfService Plus=5.5-5500
ADSelfService Plus=5.5-5501
ADSelfService Plus=5.5-5502
ADSelfService Plus=5.5-5503
ADSelfService Plus=5.5-5504
ADSelfService Plus=5.5-5505
ADSelfService Plus=5.5-5506
ADSelfService Plus=5.5-5507
ADSelfService Plus=5.5-5508
ADSelfService Plus=5.5-5509
ADSelfService Plus=5.5-5510
ADSelfService Plus=5.5-5511
ADSelfService Plus=5.5-5512
ADSelfService Plus=5.5-5513
ADSelfService Plus=5.5-5514
ADSelfService Plus=5.5-5515
ADSelfService Plus=5.5-5516
ADSelfService Plus=5.5-5517
ADSelfService Plus=5.5-5518
ADSelfService Plus=5.5-5519
ADSelfService Plus=5.5-5520
ADSelfService Plus=5.5-5521
ADSelfService Plus=5.6-5600
ADSelfService Plus=5.6-5601
ADSelfService Plus=5.6-5602
ADSelfService Plus=5.6-5603
ADSelfService Plus=5.6-5604
ADSelfService Plus=5.6-5605
ADSelfService Plus=5.6-5606
ADSelfService Plus=5.6-5607
ADSelfService Plus=5.7-5702
ADSelfService Plus=5.7-5704
ADSelfService Plus=5.7-5705
ADSelfService Plus=5.7-5706
ADSelfService Plus=5.7-5707
ADSelfService Plus=5.7-5708
ADSelfService Plus=5.7-5709
ADSelfService Plus=5.7-5710
ADSelfService Plus=5.8-5800
ADSelfService Plus=5.8-5801
ADSelfService Plus=5.8-5802
ADSelfService Plus=5.8-5803

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2019-18411?

    CVE-2019-18411 has a medium severity rating due to its potential impact on user information.

  • How do I fix CVE-2019-18411?

    To fix CVE-2019-18411, update to the latest version of Zoho ManageEngine ADSelfService Plus that addresses this vulnerability.

  • What is CVE-2019-18411 about?

    CVE-2019-18411 is a CSRF vulnerability that allows attackers to modify user profile information without consent.

  • Which versions are affected by CVE-2019-18411?

    CVE-2019-18411 affects Zoho ManageEngine ADSelfService Plus versions 5.x up to and including 5803.

  • Can CVE-2019-18411 lead to unauthorized access?

    Yes, exploiting CVE-2019-18411 can potentially lead to unauthorized access to a user's profile data.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203