CVE-2023-35854

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 87%
VendorProductVersion
zohocorpmanageengine_adselfservice_plus
𝑥
< 6.1
zohocorpmanageengine_adselfservice_plus
6.1
zohocorpmanageengine_adselfservice_plus
6.1:6100
zohocorpmanageengine_adselfservice_plus
6.1:6101
zohocorpmanageengine_adselfservice_plus
6.1:6102
zohocorpmanageengine_adselfservice_plus
6.1:6103
zohocorpmanageengine_adselfservice_plus
6.1:6104
zohocorpmanageengine_adselfservice_plus
6.1:6105
zohocorpmanageengine_adselfservice_plus
6.1:6106
zohocorpmanageengine_adselfservice_plus
6.1:6107
zohocorpmanageengine_adselfservice_plus
6.1:6108
zohocorpmanageengine_adselfservice_plus
6.1:6109
zohocorpmanageengine_adselfservice_plus
6.1:6110
zohocorpmanageengine_adselfservice_plus
6.1:6111
zohocorpmanageengine_adselfservice_plus
6.1:6112
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/970198175/Simply-use
https://www.manageengine.com
https://github.com/970198175/Simply-use
https://www.manageengine.com