Abstract Advisory Information


Security issue affecting the product ManageEngine ADSelfService Plus, a secure, web-based, end-user password management and single sign-on solution.

This solution helps domain users to perform self-service password reset, self-service account unlock.

A service exposed by the software allows anonymous person to retrieve internal information on the system and modify the product installation.

Author: Dominique Righetto

Version affected


Name: ADSelfService Plus

Versions: 5.6 Build 5607

Common Vulnerability Scoring System


5.3

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Patches


Unknown

References


None

Vulnerability Disclosure Timeline


  • 14/11/2018: Vulnerability identification
  • 16/11/2018: First contact with the vendor
  • 27/11/2018: Request for update
  • 28/11/2018: Acknowledge from the vendor
  • 03/01/2019: Request for update with no answer
  • 25/01/2019: Request for update with no answer
  • 18/02/2019: Public disclosure