Multiple vulnerabilities in Zoho ManageEngine ADSelfService Plus
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2021-37423 |
| CWE-ID | CWE-300 CWE-200 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Zoho ManageEngine ADSelfService Plus Client/Desktop applications / Software for system administration |
| Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Man-in-the-Middle (MitM) attack
EUVDB-ID: #VU63622
Risk: Medium
CVSSv4.0: 6.9 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2021-37423
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure communication during password synchronization. A remote unauthenticated attacker can delete the real Password Sync Agent from the database and register a fake Password Sync Agent, breaching the sync agent functionality.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ADSelfService Plus: 6000 - 6123
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:6000:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:6001:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:6002:*:*:*:*:*:*:*
https://www.manageengine.com/products/self-service-password/advisory/CVE-2021-37423.html
https://www.manageengine.com/products/self-service-password/release-notes.html#6200
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Information disclosure
EUVDB-ID: #VU63623
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: N/A
CWE-ID:
CWE-200 - Exposure of sensitive information to an unauthorized actor
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the username information in the request URL is sent to the ADSelfService Plus server upon successful IdP authentication. A remote attacker can obtain this information in certain cases.
Install updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ADSelfService Plus: 6000 - 6123
CPE2.3- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:6000:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:6001:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:zoho_manageengine_adselfservice_plus:6002:*:*:*:*:*:*:*
https://www.manageengine.com/products/self-service-password/release-notes.html#6200
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
