CVE-2010-3272

Name of the Vulnerable Software and Affected Versions ManageEngine ADSelfService Plus versions prior to 4.5 Build 4500

Description The issue concerns the security-questions implementation in ManageEngine ADSelfService Plus, where the "accounts/ValidateAnswers" endpoint is vulnerable to password reset attacks. Remote attackers can exploit this by modifying the Hide Captcha or quesList parameter in a validateAll action, allowing them to reset user passwords and gain access to arbitrary user accounts.

Recommendations For versions prior to 4.5 Build 4500, update to version 4.5 Build 4500 or later to resolve the issue. As a temporary workaround, consider restricting access to the "accounts/ValidateAnswers" endpoint or disabling the security-questions feature until a patch is applied. Avoid using the Hide Captcha or quesList parameter in the affected endpoint until the issue is resolved.