CVE-2023-35719
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ManageEngine | ADSelfService Plus | 6.1 Build 6122 | affected |
Weaknesses
- CWE-345: CWE-345: Insufficient Verification of Data Authenticity
ADP Enrichment
CVE Program Container
Additional References
- https://www.zerodayinitiative.com/advisories/ZDI-23-891
- https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://www.zerodayinitiative.com/advisories/ZDI-23-891
- https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.