vulnerability
Zoho ManageEngine ADSelfService Plus: CVE-2021-37422: SQL Injection while linking the databases.
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 7 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Aug 26, 2021 | Dec 18, 2024 | Mar 27, 2026 |
Severity
7
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Aug 26, 2021
Added
Dec 18, 2024
Modified
Mar 27, 2026
Description
A SQL injection vulnerability was discovered in ADSelfService Plus when password synchronization was enabled for Oracle Database. This issue has now been fixed.During account linking between Active Directory and Oracle Database for password synchronization, the usernames provided were added into SQL queries without sanitization. These were then sent to the linked Oracle Database, making the application vulnerable to Boolean-based SQL injection attacks. If the injection attacks become successful, there is a risk of data from ADSelfService Plus being exposed.
Solution
zoho-manageengine-adselfservice-plus-upgrade-latest
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.