CVE-2023-35719
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
In short
The ManageEngine ADSelfService Plus GINA Client doesn't properly verify data received over HTTP, allowing a physically present attacker to bypass login and run code with system privileges without authentication.
Technical detail
The vulnerability exists in the Password Reset Portal component where HTTP data lacks proper authentication verification (CWE-345). An unauthenticated, physically present attacker can bypass authentication controls and execute arbitrary code with SYSTEM privileges by exploiting insufficient data authenticity checks.
Summary generated and translated by AI from the official description.
ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
ManageEngine · ADSelfService PlusWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →