Abstract Advisory Information
Security issue affecting the product ManageEngine ADSelfService Plus, a secure, web-based, end-user password reset management and single sign-on solution.
This solution helps domain users to perform self-service password reset, self-service account unlock.
A service exposed by the software allows anonymous person to perform a Server Side Request Forgery attack.
Authors: Dominique Righetto
Name: ADSelfService Plus
Versions: 5.6 Build 5607
Common Vulnerability Scoring System
The vulnrability is patched in version 5.7 Build 5703
Vulnerability Disclosure Timeline
- 14/11/2018: Vulnerability discovered
- 16/11/2018: First contact with the vendor
- 17/12/2018: Vulnerability patched
- 02/01/2019: Patch released
- 03/01/2019: CVE ID assigned by MITRE
- 08/01/2019 : Public disclosure