CVE-2019-18411

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ADSelfService Plus versions 5.x through 5803

Description The issue allows attackers to modify users' profile information unintentionally, including email and mobile phone details, through a CSRF attack on the users' profile information page. This could further enable attackers to use the reset password function, potentially allowing them to control the system and redirect authentication codes to channels they own.

Recommendations For versions 5.x through 5803, as a temporary workaround, consider restricting access to the users' profile information page and the reset password function until a patch is available. Additionally, avoid using the reset password feature in the affected versions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.