Vulnerability identifier: #VU77737
Vulnerability risk: Low
CVSSv3.1: 6.2 [CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:U/RC:C]
CVE-ID:
CWE-ID:
CWE-345
Exploitation vector: Local
Exploit availability: No
Vulnerable software:
Zoho ManageEngine ADSelfService Plus
Client/Desktop applications /
Software for system administration
Vendor: Zoho Corporation
Description
The vulnerability allows an attacker to compromise the affected system.
The vulnerability exists due to the lack of proper authentication of data received via HTTP within the Password Reset Portal used by the GINA client. An attacker with physical access to the system can bypass authentication and compromise the system.
Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versions
Zoho ManageEngine ADSelfService Plus: 6000 - 6300
External links
http://www.zerodayinitiative.com/advisories/ZDI-23-891/
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.