Risk | Medium |
Patch available | YES |
Number of vulnerabilities | 2 |
CVE-ID | CVE-2021-37423 |
CWE-ID | CWE-300 CWE-200 |
Exploitation vector | Network |
Public exploit | N/A |
Vulnerable software Subscribe |
Zoho ManageEngine ADSelfService Plus Client/Desktop applications / Software for system administration |
Vendor | Zoho Corporation |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
EUVDB-ID: #VU63622
Risk: Medium
CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-37423
CWE-ID:
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to insecure communication during password synchronization. A remote unauthenticated attacker can delete the real Password Sync Agent from the database and register a fake Password Sync Agent, breaching the sync agent functionality.
MitigationInstall updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ADSelfService Plus: 6000 - 6123
External linkshttp://www.manageengine.com/products/self-service-password/advisory/CVE-2021-37423.html
http://www.manageengine.com/products/self-service-password/release-notes.html#6200
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
EUVDB-ID: #VU63623
Risk: Low
CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-200 - Information exposure
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the username information in the request URL is sent to the ADSelfService Plus server upon successful IdP authentication. A remote attacker can obtain this information in certain cases.
Install updates from vendor's website.
Vulnerable software versionsZoho ManageEngine ADSelfService Plus: 6000 - 6123
External linkshttp://www.manageengine.com/products/self-service-password/release-notes.html#6200
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.