Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    10 vulnerabilities found for ADSelfService Plus by ManageEngine

    CVE-2025-3833 (GCVE-0-2025-3833)

    Vulnerability from nvd – Published: 2025-05-14 11:00 – Updated: 2025-05-14 13:30
    VLAI
    Title
    SQL Injection
    Summary
    Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6514 (6514)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3833",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-14T13:29:40.313688Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-14T13:30:00.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6514",
                  "status": "affected",
                  "version": "0",
                  "versionType": "6514"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Zohocorp ManageEngine\u0026nbsp;ADSelfService Plus versions\u0026nbsp;6513 and prior are vulnerable to authenticated SQL injection in the MFA reports."
                }
              ],
              "value": "Zohocorp ManageEngine\u00a0ADSelfService Plus versions\u00a06513 and prior are vulnerable to authenticated SQL injection in the MFA reports."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T11:00:27.309Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "Zohocorp"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-3833.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "Zohocorp",
        "cveId": "CVE-2025-3833",
        "datePublished": "2025-05-14T11:00:27.309Z",
        "dateReserved": "2025-04-21T07:02:38.560Z",
        "dateUpdated": "2025-05-14T13:30:00.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1723 (GCVE-0-2025-1723)

    Vulnerability from nvd – Published: 2025-03-03 07:40 – Updated: 2025-03-03 14:24
    VLAI
    Title
    Account takeover
    Summary
    Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6511 (6511)
    Create a notification for this product.
    Credits
    Weston
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1723",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T14:23:30.263370Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T14:24:12.072Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6511",
                  "status": "affected",
                  "version": "0",
                  "versionType": "6511"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Weston"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esession mishandling. Valid account holders in the setup only have the potential to exploit this bug.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the\u00a0session mishandling. Valid account holders in the setup only have the potential to exploit this bug."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-03T07:40:10.789Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "ManageEngine"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Account takeover",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "ManageEngine",
        "cveId": "CVE-2025-1723",
        "datePublished": "2025-03-03T07:40:10.789Z",
        "dateReserved": "2025-02-26T17:07:32.710Z",
        "dateUpdated": "2025-03-03T14:24:12.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27310 (GCVE-0-2024-27310)

    Vulnerability from nvd – Published: 2024-05-27 17:26 – Updated: 2024-10-07 19:44
    VLAI
    Title
    DOS Vulnerability
    Summary
    Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6401 (14730)
    Create a notification for this product.
    zohocorp manageengine_adselfservice_plus Affected: 0 , ≤ builds_6400 (custom)
        cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "manageengine_adselfservice_plus",
                "vendor": "zohocorp",
                "versions": [
                  {
                    "lessThanOrEqual": "builds_6400",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27310",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-31T16:52:11.510173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-13T14:02:04.570Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:27:59.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-27310.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6401",
                  "status": "affected",
                  "version": "0",
                  "versionType": "14730"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Zoho ManageEngine\u0026nbsp;ADSelfService Plus versions below\u0026nbsp;6401 are vulnerable to the DOS attack due to the malicious LDAP input."
                }
              ],
              "value": "Zoho ManageEngine\u00a0ADSelfService Plus versions below\u00a06401 are vulnerable to the DOS attack due to the malicious LDAP input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-90",
                  "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-07T19:44:05.359Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "ManageEngine"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-27310.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "DOS Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "ManageEngine",
        "cveId": "CVE-2024-27310",
        "datePublished": "2024-05-27T17:26:14.229Z",
        "dateReserved": "2024-02-23T06:13:18.186Z",
        "dateUpdated": "2024-10-07T19:44:05.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-0252 (GCVE-0-2024-0252)

    Vulnerability from nvd – Published: 2024-01-11 07:57 – Updated: 2025-06-17 21:09
    VLAI
    Title
    Remote code execution
    Summary
    ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6402 (6401)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T17:41:16.095Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0252",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-25T05:00:52.762305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:09:15.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.manageengine.com/products/download.html",
              "defaultStatus": "affected",
              "platforms": [
                "Windows"
              ],
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6402",
                  "status": "affected",
                  "version": "0",
                  "versionType": "6401"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "ManageEngine ADSelfService Plus versions\u0026nbsp;6401\u0026nbsp;and below are vulnerable to the remote code execution due to the improper handling in the load \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebalancer\u003c/span\u003e component. Authentication is required in order to exploit this vulnerability."
                }
              ],
              "value": "ManageEngine ADSelfService Plus versions\u00a06401\u00a0and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-07T08:23:43.403Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "ManageEngine"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Remote code execution",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "ManageEngine",
        "cveId": "CVE-2024-0252",
        "datePublished": "2024-01-11T07:57:12.987Z",
        "dateReserved": "2024-01-05T17:59:42.780Z",
        "dateUpdated": "2025-06-17T21:09:15.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-35719 (GCVE-0-2023-35719)

    Vulnerability from nvd – Published: 2023-09-06 04:03 – Updated: 2024-09-26 20:24
    VLAI
    Title
    ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
    Summary
    ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 6.1 Build 6122
    Create a notification for this product.
    Date Public
    2023-06-21 20:20
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T16:30:44.487Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Zero Day Initiative Security Advisory ZDI-23-891",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-891"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-35719",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-26T20:23:54.363071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T20:24:03.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.1 Build 6122"
                }
              ]
            }
          ],
          "dateAssigned": "2023-06-15T20:31:13.921Z",
          "datePublic": "2023-06-21T20:20:55.928Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-15T19:54:06.718Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "Zero Day Initiative Security Advisory ZDI-23-891",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-891"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Pedro Ribeiro (pedrib@gmail.com | @pedrib1337), Jo\u00e3o Bigotte and Ashley King from Agile Information Security"
          },
          "title": "ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-35719",
        "datePublished": "2023-09-06T04:03:08.608Z",
        "dateReserved": "2023-06-15T20:23:02.753Z",
        "dateUpdated": "2024-09-26T20:24:03.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-3833 (GCVE-0-2025-3833)

    Vulnerability from cvelistv5 – Published: 2025-05-14 11:00 – Updated: 2025-05-14 13:30
    VLAI
    Title
    SQL Injection
    Summary
    Zohocorp ManageEngine ADSelfService Plus versions 6513 and prior are vulnerable to authenticated SQL injection in the MFA reports.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6514 (6514)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-3833",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-05-14T13:29:40.313688Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-05-14T13:30:00.739Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6514",
                  "status": "affected",
                  "version": "0",
                  "versionType": "6514"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Zohocorp ManageEngine\u0026nbsp;ADSelfService Plus versions\u0026nbsp;6513 and prior are vulnerable to authenticated SQL injection in the MFA reports."
                }
              ],
              "value": "Zohocorp ManageEngine\u00a0ADSelfService Plus versions\u00a06513 and prior are vulnerable to authenticated SQL injection in the MFA reports."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-05-14T11:00:27.309Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "Zohocorp"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-3833.html"
            }
          ],
          "source": {
            "discovery": "INTERNAL"
          },
          "title": "SQL Injection",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "Zohocorp",
        "cveId": "CVE-2025-3833",
        "datePublished": "2025-05-14T11:00:27.309Z",
        "dateReserved": "2025-04-21T07:02:38.560Z",
        "dateUpdated": "2025-05-14T13:30:00.739Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-1723 (GCVE-0-2025-1723)

    Vulnerability from cvelistv5 – Published: 2025-03-03 07:40 – Updated: 2025-03-03 14:24
    VLAI
    Title
    Account takeover
    Summary
    Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the session mishandling. Valid account holders in the setup only have the potential to exploit this bug.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6511 (6511)
    Create a notification for this product.
    Credits
    Weston
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-1723",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-03-03T14:23:30.263370Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-03-03T14:24:12.072Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "platforms": [
                "Windows"
              ],
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6511",
                  "status": "affected",
                  "version": "0",
                  "versionType": "6511"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Weston"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003esession mishandling. Valid account holders in the setup only have the potential to exploit this bug.\u003c/span\u003e\u003cbr\u003e"
                }
              ],
              "value": "Zohocorp ManageEngine ADSelfService Plus versions 6510 and below are vulnerable to account takeover due to the\u00a0session mishandling. Valid account holders in the setup only have the potential to exploit this bug."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287 Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-03-03T07:40:10.789Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "ManageEngine"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2025-1723.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Account takeover",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "ManageEngine",
        "cveId": "CVE-2025-1723",
        "datePublished": "2025-03-03T07:40:10.789Z",
        "dateReserved": "2025-02-26T17:07:32.710Z",
        "dateUpdated": "2025-03-03T14:24:12.072Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-27310 (GCVE-0-2024-27310)

    Vulnerability from cvelistv5 – Published: 2024-05-27 17:26 – Updated: 2024-10-07 19:44
    VLAI
    Title
    DOS Vulnerability
    Summary
    Zoho ManageEngine ADSelfService Plus versions below 6401 are vulnerable to the DOS attack due to the malicious LDAP input.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6401 (14730)
    Create a notification for this product.
    zohocorp manageengine_adselfservice_plus Affected: 0 , ≤ builds_6400 (custom)
        cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "manageengine_adselfservice_plus",
                "vendor": "zohocorp",
                "versions": [
                  {
                    "lessThanOrEqual": "builds_6400",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-27310",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-05-31T16:52:11.510173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-06-13T14:02:04.570Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T00:27:59.865Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-27310.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6401",
                  "status": "affected",
                  "version": "0",
                  "versionType": "14730"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Zoho ManageEngine\u0026nbsp;ADSelfService Plus versions below\u0026nbsp;6401 are vulnerable to the DOS attack due to the malicious LDAP input."
                }
              ],
              "value": "Zoho ManageEngine\u00a0ADSelfService Plus versions below\u00a06401 are vulnerable to the DOS attack due to the malicious LDAP input."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-90",
                  "description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-10-07T19:44:05.359Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "ManageEngine"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-27310.html"
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "DOS Vulnerability",
          "x_generator": {
            "engine": "Vulnogram 0.2.0"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "ManageEngine",
        "cveId": "CVE-2024-27310",
        "datePublished": "2024-05-27T17:26:14.229Z",
        "dateReserved": "2024-02-23T06:13:18.186Z",
        "dateUpdated": "2024-10-07T19:44:05.359Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-0252 (GCVE-0-2024-0252)

    Vulnerability from cvelistv5 – Published: 2024-01-11 07:57 – Updated: 2025-06-17 21:09
    VLAI
    Title
    Remote code execution
    Summary
    ManageEngine ADSelfService Plus versions 6401 and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 0 , < 6402 (6401)
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T17:41:16.095Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-0252",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-25T05:00:52.762305Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:09:15.509Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://www.manageengine.com/products/download.html",
              "defaultStatus": "affected",
              "platforms": [
                "Windows"
              ],
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "lessThan": "6402",
                  "status": "affected",
                  "version": "0",
                  "versionType": "6401"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "ManageEngine ADSelfService Plus versions\u0026nbsp;6401\u0026nbsp;and below are vulnerable to the remote code execution due to the improper handling in the load \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ebalancer\u003c/span\u003e component. Authentication is required in order to exploit this vulnerability."
                }
              ],
              "value": "ManageEngine ADSelfService Plus versions\u00a06401\u00a0and below are vulnerable to the remote code execution due to the improper handling in the load balancer component. Authentication is required in order to exploit this vulnerability."
            }
          ],
          "impacts": [
            {
              "capecId": "CAPEC-242",
              "descriptions": [
                {
                  "lang": "en",
                  "value": "CAPEC-242 Code Injection"
                }
              ]
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-06-07T08:23:43.403Z",
            "orgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
            "shortName": "ManageEngine"
          },
          "references": [
            {
              "url": "https://www.manageengine.com/products/self-service-password/advisory/CVE-2024-0252.html"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Remote code execution",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "0fc0942c-577d-436f-ae8e-945763c79b02",
        "assignerShortName": "ManageEngine",
        "cveId": "CVE-2024-0252",
        "datePublished": "2024-01-11T07:57:12.987Z",
        "dateReserved": "2024-01-05T17:59:42.780Z",
        "dateUpdated": "2025-06-17T21:09:15.509Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2023-35719 (GCVE-0-2023-35719)

    Vulnerability from cvelistv5 – Published: 2023-09-06 04:03 – Updated: 2024-09-26 20:24
    VLAI
    Title
    ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability
    Summary
    ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-345 - Insufficient Verification of Data Authenticity
    Assigner
    zdi
    References
    Impacted products
    Vendor Product Version
    ManageEngine ADSelfService Plus Affected: 6.1 Build 6122
    Create a notification for this product.
    Date Public
    2023-06-21 20:20
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T16:30:44.487Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "Zero Day Initiative Security Advisory ZDI-23-891",
                "tags": [
                  "x_research-advisory",
                  "x_transferred"
                ],
                "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-891"
              },
              {
                "name": "vendor-provided URL",
                "tags": [
                  "vendor-advisory",
                  "x_transferred"
                ],
                "url": "https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-35719",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-26T20:23:54.363071Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-26T20:24:03.273Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unknown",
              "product": "ADSelfService Plus",
              "vendor": "ManageEngine",
              "versions": [
                {
                  "status": "affected",
                  "version": "6.1 Build 6122"
                }
              ]
            }
          ],
          "dateAssigned": "2023-06-15T20:31:13.921Z",
          "datePublic": "2023-06-21T20:20:55.928Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability. This vulnerability allows physically present attackers to execute arbitrary code on affected installations of ManageEngine ADSelfService Plus. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the Password Reset Portal used by the GINA client. The issue results from the lack of proper authentication of data received via HTTP. An attacker can leverage this vulnerability to bypass authentication and execute code in the context of SYSTEM. Was ZDI-CAN-17009."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "baseScore": 6.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              },
              "format": "CVSS"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-345",
                  "description": "CWE-345: Insufficient Verification of Data Authenticity",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2023-09-15T19:54:06.718Z",
            "orgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
            "shortName": "zdi"
          },
          "references": [
            {
              "name": "Zero Day Initiative Security Advisory ZDI-23-891",
              "tags": [
                "x_research-advisory"
              ],
              "url": "https://www.zerodayinitiative.com/advisories/ZDI-23-891"
            },
            {
              "name": "vendor-provided URL",
              "tags": [
                "vendor-advisory"
              ],
              "url": "https://www.manageengine.com/products/self-service-password/kb/our-response-to-CVE-2023-35719.html"
            }
          ],
          "source": {
            "lang": "en",
            "value": "Pedro Ribeiro (pedrib@gmail.com | @pedrib1337), Jo\u00e3o Bigotte and Ashley King from Agile Information Security"
          },
          "title": "ManageEngine ADSelfService Plus GINA Client Insufficient Verification of Data Authenticity Authentication Bypass Vulnerability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "99f1926a-a320-47d8-bbb5-42feb611262e",
        "assignerShortName": "zdi",
        "cveId": "CVE-2023-35719",
        "datePublished": "2023-09-06T04:03:08.608Z",
        "dateReserved": "2023-06-15T20:23:02.753Z",
        "dateUpdated": "2024-09-26T20:24:03.273Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }