CVE-2023-35719

MEDIUM 6.8

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability

CVSS Score

6.8

EPSS Score

0.0%

EPSS Percentile

0th

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

CWE	CWE-345
Vendor	manageengine
Product	adselfservice plus
Published	Sep 6, 2023
Last Updated	Sep 26, 2024

Stay Ahead of the Next One

Get instant alerts for manageengine adselfservice plus

Be the first to know when new medium vulnerabilities affecting manageengine adselfservice plus are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Versions

ManageEngine / ADSelfService Plus

6.1 Build 6122

References

NVD ↗ CVE.org ↗ EPSS Data ↗

zerodayinitiative.com: https://www.zerodayinitiative.com/advisories/ZDI-23-891 manageengine.com: https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html