CVE-2022-24681: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2022-24681 is a stored Cross-Site Scripting (XSS) vulnerability discovered in Zoho's ManageEngine ADSelfService Plus. The vulnerability was identified in January 2022 and affects builds 6120 and below of the software. The issue was fixed in Build 6121, released on March 3, 2022. This security flaw specifically impacts the reset password, unlock account, and user must change password pages of the application (ManageEngine Advisory, Raxis Blog).

The vulnerability exists in the /accounts/authVerify page and can be triggered by inserting HTML content, specifically tags that support JavaScript, into the first or last name fields of an Active Directory user. When users attempt to reset their password, unlock their account, or are required to change their password upon login, the malicious content is executed due to improper sanitization of the welcome name attribute (Raxis Blog).

The vulnerability affects only the respective user or anyone attempting to impersonate that user. When exploited, it allows for the execution of malicious scripts in the context of the user's session, potentially leading to cookie theft and session hijacking (ManageEngine Advisory).

The recommended mitigation is to update ADSelfService Plus to Version 6.1 Build 6121 or later. There are no alternative workarounds available for this vulnerability. The fix implemented by ManageEngine blocks script execution on the affected pages (ManageEngine Advisory).