ManageEngine ADSelfService Plus below build 6116 contains an observable response discrepancy in the UMCP operation of the ChangePasswordAPI. This allows an unauthenticated remote attacker to determine whether a Windows domain user exists.
The product behaves differently or sends different responses under different circumstances in a way that is observable to an unauthorized actor, which exposes security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Manageengine_adselfservice_plus | Zohocorp | * | 6.0 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1 (including) | 6.1 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6100 (including) | 6.1-6100 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6101 (including) | 6.1-6101 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6102 (including) | 6.1-6102 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6103 (including) | 6.1-6103 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6104 (including) | 6.1-6104 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6105 (including) | 6.1-6105 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6106 (including) | 6.1-6106 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6107 (including) | 6.1-6107 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6108 (including) | 6.1-6108 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6109 (including) | 6.1-6109 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6110 (including) | 6.1-6110 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6111 (including) | 6.1-6111 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6112 (including) | 6.1-6112 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6113 (including) | 6.1-6113 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6114 (including) | 6.1-6114 (including) |
Manageengine_adselfservice_plus | Zohocorp | 6.1-6115 (including) | 6.1-6115 (including) |