CVE-2010-3273

Name of the Vulnerable Software and Affected Versions ManageEngine ADSelfService Plus versions prior to 4.5 Build 4500

Description The issue allows remote attackers to reset user passwords by providing a user id to "accounts/ValidateUser" and then a new password to "accounts/ResetResult", which can lead to access to arbitrary user accounts.

Recommendations For versions prior to 4.5 Build 4500, update to version 4.5 Build 4500 or later to resolve the issue. As a temporary workaround, consider restricting access to the "accounts/ValidateUser" and "accounts/ResetResult" API endpoints until a patch is applied. Avoid using the user id parameter in the affected API endpoints until the issue is resolved.