The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2020-09-29T20:07:22
Updated: 2024-08-05T05:33:44.213Z
Reserved: 2018-01-12T00:00:00
Link: CVE-2018-5353
Vulnrichment
No data.
NVD
Status : Modified
Published: 2020-09-30T18:15:15.927
Modified: 2024-11-21T04:08:38.213
Link: CVE-2018-5353
Redhat
No data.