CVE-2019-8346

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ADSelfService Plus versions 5.x through 5704

Description The issue allows for an unauthenticated manipulation of the JavaScript code by injecting the HTTP form parameter adscsrf in the authorization.do endpoint. This can be used to capture a user's AD self-service password reset and MFA token.

Recommendations For versions 5.x through 5704, consider restricting access to the authorization.do endpoint until a patch is available. As a temporary workaround, avoid using the adscsrf parameter in the affected endpoint to minimize the risk of exploitation.