CVE-2017-17552

Published: Feb 7, 2018Modified: Oct 24, 2025

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

Affected (7)

Products: Zohocorp: Manageengine Admanager Plus

Zohocorp

1 product

Manageengine Admanager Plus

Configuration A

7 vulnerable

Vulnerable Software	Affected Versions
Zohocorp Manageengine Admanager Plus	Before 6.6
Zohocorp Manageengine Admanager Plus	Version 6.6 6601
Zohocorp Manageengine Admanager Plus	Version 6.6 6602
Zohocorp Manageengine Admanager Plus	Version 6.6 6610
Zohocorp Manageengine Admanager Plus	Version 6.6 6611
Zohocorp Manageengine Admanager Plus	Version 6.6 6612
Zohocorp Manageengine Admanager Plus	Version 6.6 6613

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (2)

https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/

Source: cve@mitre.org

ExploitMitigationThird Party Advisory

https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitMitigationThird Party Advisory

Timeline

No history available yet.