9.8

CVE-2023-35854

Zoho ManageEngine ADSelfService Plus through 6113 has an authentication bypass that can be exploited to steal the domain controller session token for identity spoofing, thereby achieving the privileges of the domain controller administrator. NOTE: the vendor's perspective is that they have "found no evidence or detail of a security vulnerability."

Data is provided by the National Vulnerability Database (NVD)
ZohocorpManageengine Adselfservice Plus Version6.1 Update-
ZohocorpManageengine Adselfservice Plus Version6.1 Update6100
ZohocorpManageengine Adselfservice Plus Version6.1 Update6101
ZohocorpManageengine Adselfservice Plus Version6.1 Update6102
ZohocorpManageengine Adselfservice Plus Version6.1 Update6103
ZohocorpManageengine Adselfservice Plus Version6.1 Update6104
ZohocorpManageengine Adselfservice Plus Version6.1 Update6105
ZohocorpManageengine Adselfservice Plus Version6.1 Update6106
ZohocorpManageengine Adselfservice Plus Version6.1 Update6107
ZohocorpManageengine Adselfservice Plus Version6.1 Update6108
ZohocorpManageengine Adselfservice Plus Version6.1 Update6109
ZohocorpManageengine Adselfservice Plus Version6.1 Update6110
ZohocorpManageengine Adselfservice Plus Version6.1 Update6111
ZohocorpManageengine Adselfservice Plus Version6.1 Update6112
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 3.96% 0.877
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.