CVE-2019-12476 — Weak Password Recovery Mechanism for Forgotten Password in Manageengine Adselfservice Plus

CWE-640 — Weak Password Recovery Mechanism for Forgotten Password3 documents3 sources

Severity

6.8MEDIUMNVD

EPSS

1.2%

top 21.36%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedJun 17

Latest updateMay 24

Description

An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 0.9 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_adselfservice_plus4.3.3 — 5.0.6

🔴Vulnerability Details

GHSA

GHSA-g74x-pj95-hm2h: An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5↗2022-05-24

▶

CVEList

CVE-2019-12476: An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5↗2019-06-17

▶