Lucene search

[email protected]NVD:CVE-2023-35719

HistorySep 06, 2023 - 5:15 a.m.

CVE-2023-35719

2023-09-0605:15:42

CWE-345

[email protected]

web.nvd.nist.gov

manageengine

adselfservice

gina client

authentication

bypass

vulnerability

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

19.0%

JSON

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

Affected configurations

Nvd

Node

zohocorpmanageengine_adselfservice_plusMatch6.16122

VendorProductVersionCPE
zohocorpmanageengine_adselfservice_plus6.1cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6122:*:*:*:*:*:*

Vendor	Product	Version	CPE
zohocorp	manageengine_adselfservice_plus	6.1	cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1:6122::::::

References

www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html

www.zerodayinitiative.com/advisories/ZDI-23-891

CVSS3

6.8

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.001

Percentile

19.0%

JSON

Related for NVD:CVE-2023-35719

cvelist1 zdi1 prion1 cve1