ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
CVE-2023-35719

6.8MEDIUM

Key Information:

Vendor

Manageengine
Status
Adselfservice Plus
Vendor
CVE Published:
6 September 2023

What is CVE-2023-35719?

ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.

Affected Version(s)

ADSelfService Plus 6.1 Build 6122

References

https://www.zerodayinitiative.com/advisories/ZDI-23-891
x_research-advisory
https://www.manageengine.com/products/self-service-passwo...
vendor-advisory

EPSS Score

19% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

CVSS V3.0

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Physical
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.