Information disclosure in Zoho ManageEngine ADSelfService Plus - #VU63623

 

Information disclosure in Zoho ManageEngine ADSelfService Plus - #VU63623

Published: May 25, 2022


Vulnerability identifier: #VU63623
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Zoho Corporation
Affected software:
Zoho ManageEngine ADSelfService Plus

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the username information in the request URL is sent to the ADSelfService Plus server upon successful IdP authentication. A remote attacker can obtain this information in certain cases.


Remediation

Install updates from vendor's website.

Sources