CVE Vulnerability

CVE-2019-12476

An authentication bypass vulnerability in the password reset functionality in Zoho ManageEngine ADSelfService Plus before 5.0.6 allows an attacker with physical access to gain a shell with SYSTEM privileges via the restricted thick client browser. The attack uses a long sequence of crafted keyboard input.

7.2 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 10

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

Scope

6.8 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector PHYSICAL

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/0katz/CVE-2019-12476 Exploit Third Party Advisory
https://gist.github.com/0katz/54167ba30ea361f3776e269bb7b1afb3 Broken Link
http://www.securityfocus.com/bid/108813
Configurations

Configuration 1
Information

Published : 2019-06-17 06:15

Updated : 2020-08-24 05:37

NVD link : CVE-2019-12476

Mitre link : CVE-2019-12476

Products Affected

Manageengine Adselfservice Plus

Microsoft

Windows

Zohocorp

CWE
CWE-640

Weak Password Recovery Mechanism for Forgotten Password