9.8

CVE-2018-5353

Exploit

EPSS 15.29%
Veröffentlicht 30.09.2020 18:15:15
Zuletzt bearbeitet 21.11.2024 04:08:38
Quelle cve@mitre.org
Teams Watchlist Login
Unerledigt Login

The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zohocorp ≫ Manageengine Adselfservice Plus Version < 5.5

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update-

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5500

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5501

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5502

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5503

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5504

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5505

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5506

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5507

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5508

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5509

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5510

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5511

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5512

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5513

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5514

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5515

Zohocorp ≫ Manageengine Adselfservice Plus Version5.5 Update5516

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	15.29%	0.943

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-290 Authentication Bypass by Spoofing

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

https://www.manageengine.com/products/self-service-password/release-notes.html

Vendor Advisory

Release Notes

http://zoho.com

Vendor Advisory

https://github.com/missing0x00/CVE-2018-5353

Third Party Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2018-5353

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2018-5353

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2018-5353

EUVD