Abstract Advisory Information
Security issue affecting the product ManageEngine ADSelfService Plus, a secure, web-based, end-user password reset management and single sign-on solution.
This solution helps domain users to perform self-service password reset, self-service account unlock.
The feature to update the license is vulnerable to External Entity Reference related attacks.
Authors: Dominique Righetto
Version affected
Name: ADSelfService Plus
Versions: 5.6 Build 5607
Common Vulnerability Scoring System
7.6
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H
Patches
The vulnerability is patched in version 5.7 Build 5701
Reference
https://www.manageengine.com/products/self-service-password/release-notes.html#5701
Vulnerability Disclosure Timeline
- 21/11/2018: Vulnerability discovered
- 26/11/2018: First contact with the vendor
- 26/11/2018: Vulnerability patched
- 30/11/2018: Patch released
- 03/01/2019: CVE ID assigned by MITRE
- 08/01/2019: Public disclosure
