PT-2011-1395 · Manageengine · Zoho Manageengine Adselfservice Plus

Ernesto Alvarez

Published

2011-02-17

Updated

2018-10-10

CVE-2010-3273

CVSS v2.0

5.0

Medium

Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Name of the Vulnerable Software and Affected Versions ManageEngine ADSelfService Plus versions prior to 4.5 Build 4500

Description The issue allows remote attackers to reset user passwords by providing a user id to "accounts/ValidateUser" and then a new password to "accounts/ResetResult", which can lead to access to arbitrary user accounts.

Recommendations For versions prior to 4.5 Build 4500, update to version 4.5 Build 4500 or later to resolve the issue. As a temporary workaround, consider restricting access to the "accounts/ValidateUser" and "accounts/ResetResult" API endpoints until a patch is applied. Avoid using the user id parameter in the affected API endpoints until the issue is resolved.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

CVE-2010-3273

Affected Products

Zoho Manageengine Adselfservice Plus

PT-2011-1395 · Manageengine · Zoho Manageengine Adselfservice Plus

CVE-2010-3273

Weakness Enumeration

Related Identifiers

Affected Products

References · 10