medium
6.1
CWE
79 352
Advisory Published
Updated

CVE-2019-8346: XSS

First published: Fri May 24 2019(Updated: )

In Zoho ManageEngine ADSelfService Plus 5.x through 5704, an authorization.do cross-site Scripting (XSS) vulnerability allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf. An attacker can use this to capture a user's AD self-service password reset and MFA token.

Credit: cve@mitre.org

Affected SoftwareAffected VersionHow to fix
ADSelfService Plus=5.0-5000
ADSelfService Plus=5.0-5001
ADSelfService Plus=5.0-5002
ADSelfService Plus=5.0-5010
ADSelfService Plus=5.0-5011
ADSelfService Plus=5.0-5020
ADSelfService Plus=5.0-5021
ADSelfService Plus=5.0-5022
ADSelfService Plus=5.0-5030
ADSelfService Plus=5.0-5032
ADSelfService Plus=5.0-5040
ADSelfService Plus=5.0-5041
ADSelfService Plus=5.1-5100
ADSelfService Plus=5.1-5101
ADSelfService Plus=5.1-5102
ADSelfService Plus=5.1-5103
ADSelfService Plus=5.1-5104
ADSelfService Plus=5.1-5105
ADSelfService Plus=5.1-5106
ADSelfService Plus=5.1-5107
ADSelfService Plus=5.1-5108
ADSelfService Plus=5.1-5109
ADSelfService Plus=5.1-5110
ADSelfService Plus=5.1-5111
ADSelfService Plus=5.1-5112
ADSelfService Plus=5.1-5113
ADSelfService Plus=5.1-5114
ADSelfService Plus=5.1-5115
ADSelfService Plus=5.2-5200
ADSelfService Plus=5.2-5201
ADSelfService Plus=5.2-5202
ADSelfService Plus=5.2-5203
ADSelfService Plus=5.2-5204
ADSelfService Plus=5.2-5205
ADSelfService Plus=5.2-5206
ADSelfService Plus=5.2-5207
ADSelfService Plus=5.3-5300
ADSelfService Plus=5.3-5301
ADSelfService Plus=5.3-5302
ADSelfService Plus=5.3-5303
ADSelfService Plus=5.3-5304
ADSelfService Plus=5.3-5305
ADSelfService Plus=5.3-5306
ADSelfService Plus=5.3-5307
ADSelfService Plus=5.3-5308
ADSelfService Plus=5.3-5309
ADSelfService Plus=5.3-5310
ADSelfService Plus=5.3-5311
ADSelfService Plus=5.3-5312
ADSelfService Plus=5.3-5313
ADSelfService Plus=5.3-5314
ADSelfService Plus=5.3-5315
ADSelfService Plus=5.3-5316
ADSelfService Plus=5.3-5317
ADSelfService Plus=5.3-5318
ADSelfService Plus=5.3-5319
ADSelfService Plus=5.3-5320
ADSelfService Plus=5.3-5321
ADSelfService Plus=5.3-5322
ADSelfService Plus=5.3-5323
ADSelfService Plus=5.3-5324
ADSelfService Plus=5.3-5325
ADSelfService Plus=5.3-5326
ADSelfService Plus=5.3-5327
ADSelfService Plus=5.3-5328
ADSelfService Plus=5.3-5329
ADSelfService Plus=5.3-5330
ADSelfService Plus=5.4-5400
ADSelfService Plus=5.5-5500
ADSelfService Plus=5.5-5501
ADSelfService Plus=5.5-5502
ADSelfService Plus=5.5-5503
ADSelfService Plus=5.5-5504
ADSelfService Plus=5.5-5505
ADSelfService Plus=5.5-5506
ADSelfService Plus=5.5-5507
ADSelfService Plus=5.5-5508
ADSelfService Plus=5.5-5509
ADSelfService Plus=5.5-5510
ADSelfService Plus=5.5-5511
ADSelfService Plus=5.5-5512
ADSelfService Plus=5.5-5513
ADSelfService Plus=5.5-5514
ADSelfService Plus=5.5-5515
ADSelfService Plus=5.5-5516
ADSelfService Plus=5.5-5517
ADSelfService Plus=5.5-5518
ADSelfService Plus=5.5-5519
ADSelfService Plus=5.5-5520
ADSelfService Plus=5.5-5521
ADSelfService Plus=5.6-5600
ADSelfService Plus=5.6-5601
ADSelfService Plus=5.6-5602
ADSelfService Plus=5.6-5603
ADSelfService Plus=5.6-5604
ADSelfService Plus=5.6-5605
ADSelfService Plus=5.6-5606
ADSelfService Plus=5.6-5607
ADSelfService Plus=5.7-5702
ADSelfService Plus=5.7-5704

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is the severity of CVE-2019-8346?

    CVE-2019-8346 has a medium severity rating due to its potential for cross-site scripting attacks.

  • How do I fix CVE-2019-8346?

    To fix CVE-2019-8346, update your ManageEngine ADSelfService Plus to a patched version that addresses this vulnerability.

  • What versions are affected by CVE-2019-8346?

    CVE-2019-8346 affects ManageEngine ADSelfService Plus versions 5.x through 5704.

  • What exploitation can occur with CVE-2019-8346?

    An attacker can exploit CVE-2019-8346 to perform cross-site scripting attacks, potentially capturing sensitive user data.

  • Who can be affected by CVE-2019-8346?

    Any user interacting with an unpatched version of ManageEngine ADSelfService Plus could be at risk from CVE-2019-8346.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2025 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203