Public exploit available
Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2020-11552Improper Privilege Management in Manageengine Adselfservice Plus

CWE-269Improper Privilege Management5 documents5 sources
Severity
9.8CRITICALNVD
EPSS
5.3%
top 9.95%
CISA KEV
Not in KEV
Exploit
PoC available
Public exploit / PoC exists
Affected products
1
Zohocorp Manageengine Adselfservice Plus
Timeline
PublishedAug 11
Latest updateMay 24

Description

An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileges associated with a Certificate dialog. This vulnerability could allow an unauthenticated attacker to escalate privileges on a Windows host. An attacker does not require any privilege on the target system in order to exploit this vulnerability. One option is the self-service option on the Windows login screen. Upon selecting this option, the thick

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

2
GHSA
GHSA-6hrv-v9h4-p42x: An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileg2022-05-24
CVEList
CVE-2020-11552: An elevation of privilege vulnerability exists in ManageEngine ADSelfService Plus before build 6003 because it does not properly enforce user privileg2020-08-11

💥Exploits & PoCs

1
Exploit-DB
ManageEngine ADSelfService Build prior to 6003 - Remote Code Execution (Unauthenticated)2020-08-10

💬Community

1
Bugzilla
CVE-2018-7263 libmad: Double-free in the mad_decoder_run() function2018-02-21
CVE-2020-11552 — Improper Privilege Management | cvebase