CVE-2023-31492

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine ADManager Plus versions 7182 and prior

Description The issue is related to insufficient protection of registration data, allowing an attacker to gain unauthorized access to protected information. This can be achieved by exploiting incorrect access control in the software, which enables unauthenticated attackers to view user passwords after executing backup or recovery operations on user accounts. The vulnerability can be exploited using a specially crafted API request, potentially allowing attackers to view default passwords for account restoration of unauthorized domains.

Recommendations For Zoho ManageEngine ADManager Plus versions 7182 and prior, consider disabling the account restoration feature for unauthorized domains until a patch is available. Restrict access to the API endpoint used for backup or recovery operations to minimize the risk of exploitation. Avoid using the default passwords for account restoration until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.