CVE-2019-3905 | Cyber Solutions By Thales

Abstract Advisory Information

Security issue affecting the product ManageEngine ADSelfService Plus, a secure, web-based, end-user password reset management and single sign-on solution.

This solution helps domain users to perform self-service password reset, self-service account unlock.

A service exposed by the software allows anonymous person to perform a Server Side Request Forgery attack.

Author: Dominique Righetto

Version affected

Name: ADSelfService Plus

Versions: 5.6 Build 5607

Common Vulnerability Scoring System

5.3

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Patches

The vulnerability is patched in version 5.7 Build 5703

References

https://www.manageengine.com/products/self-service-password/release-notes.html#5703

Vulnerability Disclosure Timeline

14/11/2018: Vulnerability discovered
16/11/2018: First contact with the vendor
17/12/2018: Vulnerability patched
02/01/2019: Patch released
03/01/2019: CVE ID assigned by MITRE
08/01/2019 : Public disclosure