CVE-2023-35854 — Missing Authentication for Critical Function in Manageengine Adselfservice Plus

CWE-306 — Missing Authentication for Critical Function3 documents3 sources

Severity

9.8CRITICALNVD

EPSS

3.1%

top 13.19%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Zohocorp Manageengine Adselfservice Plus

Timeline

PublishedJun 20

Description

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

▶NVDzohocorp/manageengine_adselfservice_plus< 6.1+1

🔴Vulnerability Details

GHSA

GHSA-vwhx-3qh6-75xf: Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for↗2023-06-20

▶

CVEList

CVE-2023-35854: Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for↗2023-06-20

▶