CVE-2017-17552

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.

CVSS v3 8.8 HIGH
CVSS v2.0 6.8 MEDIUM

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

6.8^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:P/I:P/A:P

Exploitability : 8.6 / Impact : 6.4

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/	Exploit Mitigation Third Party Advisory
https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/	Exploit Mitigation Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:zohocorp:manageengine_admanager_plus::::::::
	cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6601::::::
	cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6602::::::
	cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6610::::::
	cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6611::::::
	cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6612::::::
	cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6613::::::

History

24 Oct 2025, 15:47

Type	Values Removed	Values Added
First Time		Zohocorp Zohocorp manageengine Admanager Plus
References	~~() https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/ - Exploit, Third Party Advisory~~	() https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/ - Exploit, Mitigation, Third Party Advisory
CPE		cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6611:::::: cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6602:::::: cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6612:::::: cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6610:::::: cpe:2.3:a:zohocorp:manageengine_admanager_plus:::::::: cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6613:::::: cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.6:6601::::::

23 Oct 2025, 13:52

Type	Values Removed	Values Added
CPE	cpe:2.3:a:zohocorp:manageengine_admanager_plus::::::::

21 Nov 2024, 03:18

Type	Values Removed	Values Added
References	~~() https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/ - Exploit, Third Party Advisory~~	() https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/ - Exploit, Third Party Advisory

Information

Published : 2018-02-07 17:29

Updated : 2025-10-24 15:47

NVD link : CVE-2017-17552

Mitre link : CVE-2017-17552

CVE.ORG link : CVE-2017-17552

JSON object : View

Products Affected

zohocorp

manageengine_admanager_plus

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

8.8 /10