Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2022-24681

CVE-2022-24681: ManageEngine ADSelfService Plus XSS Flaw

CVE-2022-24681 is a cross-site scripting vulnerability in Zoho ManageEngine ADSelfService Plus affecting versions before 6121. This article covers the technical details, affected versions, security impact, and mitigation.

Updated:

CVE-2022-24681 Overview

CVE-2022-24681 is a reflected Cross-Site Scripting (XSS) vulnerability in Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution for Active Directory. Versions prior to build 6121 fail to properly sanitize the welcome name attribute used on the Reset Password, Unlock Account, and User Must Change Password screens. An attacker can inject malicious JavaScript that executes in the victim's browser when the targeted page is rendered. The flaw is tracked under CWE-79 and requires user interaction to trigger.

Critical Impact

An unauthenticated attacker can execute arbitrary JavaScript in the context of an authenticated ADSelfService Plus session, enabling credential theft, session hijacking, and phishing against Active Directory users.

Affected Products

  • Zoho ManageEngine ADSelfService Plus versions before build 6121
  • ADSelfService Plus 6.1 builds 6100 through 6120
  • Self-service password reset and account unlock workflows exposed to end users

Discovery Timeline

  • 2022-04-07 - CVE-2022-24681 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2022-24681

Vulnerability Analysis

The vulnerability is a reflected Cross-Site Scripting flaw rooted in improper neutralization of user-supplied input. The welcome name attribute is rendered on three end-user facing screens: Reset Password, Unlock Account, and User Must Change Password. Input passed to this attribute is reflected into the HTML response without adequate output encoding. An attacker who crafts a URL containing JavaScript payloads can deliver it to a target user through phishing or other social engineering. When the user opens the link, the payload executes in the browser under the application's origin.

Because ADSelfService Plus brokers password resets against Active Directory, JavaScript executing in the application context has direct access to credentials entered into reset forms. The scope change reflected in the CVSS vector indicates that exploited content can affect resources beyond the vulnerable component, such as adjacent browser contexts.

Root Cause

The root cause is missing or insufficient HTML output encoding of the welcome name parameter before it is embedded in the page DOM. The application trusts the attribute value and reflects it directly into rendered markup, allowing <script> tags or event-handler attributes to break out of the intended string context.

Attack Vector

Exploitation is network-based and requires user interaction. An attacker crafts a malicious URL targeting the Reset Password, Unlock Account, or User Must Change Password endpoint with an XSS payload in the welcome name parameter. The attacker then delivers the link via email, chat, or a malicious site. When a victim, often an authenticated administrator or end user attempting a password reset, opens the link, the payload executes in their browser. Attackers commonly use this to steal session cookies, capture submitted credentials, or pivot into further attacks against the identity infrastructure.

No verified public proof-of-concept code is referenced in the enriched data. See the Raxis Blog on CVE-2022-24681 and the ManageEngine CVE-2022-24681 Advisory for additional technical context.

Detection Methods for CVE-2022-24681

Indicators of Compromise

  • Web server access logs showing requests to Reset Password, Unlock Account, or User Must Change Password endpoints containing URL-encoded <script>, onerror=, onload=, or javascript: substrings in the welcome name parameter
  • Unexpected outbound requests from ADSelfService Plus user browsers to attacker-controlled domains shortly after visiting reset URLs
  • Reports from users of unexpected pop-ups, redirects, or credential prompts on ADSelfService Plus pages

Detection Strategies

  • Inspect HTTP query strings and POST bodies hitting ADSelfService Plus reset workflows for HTML tag characters and common XSS keywords
  • Deploy a Web Application Firewall (WAF) rule that flags or blocks reflected XSS patterns against the affected endpoints
  • Compare the deployed ADSelfService Plus build number against build 6121 using the product's About page or installer metadata

Monitoring Recommendations

  • Forward ADSelfService Plus web access logs to a centralized logging or SIEM platform for retention and correlation
  • Alert on phishing campaigns referencing internal ADSelfService Plus URLs with anomalous query parameters
  • Track Active Directory authentication anomalies that could indicate session or credential theft following a suspected XSS event

How to Mitigate CVE-2022-24681

Immediate Actions Required

  • Upgrade Zoho ManageEngine ADSelfService Plus to build 6121 or later, which addresses the welcome name reflection issue
  • Restrict external exposure of the ADSelfService Plus portal to trusted networks or behind a reverse proxy with XSS filtering until patched
  • Inform helpdesk and end users to avoid clicking ADSelfService Plus links received from untrusted sources

Patch Information

Zoho addressed the vulnerability in ADSelfService Plus build 6121. The vendor advisory is available at the ManageEngine CVE-2022-24681 Advisory. Administrators should download the latest service pack from the ManageEngine portal and apply it following the documented upgrade procedure, then verify the installed build via the product's About page.

Workarounds

  • Place ADSelfService Plus behind a WAF or reverse proxy configured to strip or encode HTML metacharacters in query parameters targeting the affected pages
  • Enforce strict Content Security Policy (CSP) headers on the application to limit inline script execution where supported by the deployment
  • Limit administrative access to the portal to internal network segments until the upgrade is complete
bash
# Verify the installed ADSelfService Plus build before and after patching
# (run from the ADSelfService Plus install directory on the host)
type conf\product.properties | findstr /I build

# Example WAF rule sketch (ModSecurity-style) to block tags in welcome name
SecRule ARGS:welcomeName "@rx (?i)(<script|onerror=|onload=|javascript:)" \
    "id:1024681,phase:2,deny,status:403,msg:'Possible XSS CVE-2022-24681'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne