CVE-2023-35854

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Published: Jun 20, 2023
Updated: Nov 8, 2023
CVE: CVE-2023-35854
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-306

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_adselfservice_plus	6.1-6100	6.1-6100.x
zohocorp / manageengine_adselfservice_plus	6.1-6103	6.1-6103.x
zohocorp / manageengine_adselfservice_plus	6.1	6.1.x
zohocorp / manageengine_adselfservice_plus	-	6.1
zohocorp / manageengine_adselfservice_plus	6.1-6101	6.1-6101.x
zohocorp / manageengine_adselfservice_plus	6.1-6102	6.1-6102.x
zohocorp / manageengine_adselfservice_plus	6.1-6104	6.1-6104.x
zohocorp / manageengine_adselfservice_plus	6.1-6105	6.1-6105.x
zohocorp / manageengine_adselfservice_plus	6.1-6106	6.1-6106.x
zohocorp / manageengine_adselfservice_plus	6.1-6107	6.1-6107.x
zohocorp / manageengine_adselfservice_plus	6.1-6108	6.1-6108.x
zohocorp / manageengine_adselfservice_plus	6.1-6109	6.1-6109.x
zohocorp / manageengine_adselfservice_plus	6.1-6110	6.1-6110.x
zohocorp / manageengine_adselfservice_plus	6.1-6111	6.1-6111.x
zohocorp / manageengine_adselfservice_plus	6.1-6112	6.1-6112.x

Vulnerability Database

289,784

CVE-2023-35854