Vulnerability identifier: #VU77737

Vulnerability risk: Low

CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]

CVE-ID: CVE-2023-35719

CWE-ID: CWE-345

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Zoho ManageEngine ADSelfService Plus
Client/Desktop applications / Software for system administration

Vendor: Zoho Corporation

Description

The vulnerability allows an attacker to compromise the affected system.

The vulnerability exists due to the lack of proper authentication of data received via HTTP within the Password Reset Portal used by the GINA client. An attacker with physical access to the system can bypass authentication and compromise the system.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

Zoho ManageEngine ADSelfService Plus: 6000 - 6300

---

External links
http://www.zerodayinitiative.com/advisories/ZDI-23-891/

---

Q & A

Can this vulnerability be exploited remotely?

No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.