Headline
CVE-2023-38332: 2FA Bypass Vulnerability in ADManager Plus | CVE
Zoho ManageEngine ADManager Plus through 7201 allow authenticated users to take over another user’s account via sensitive information disclosure.
Vulnerability Details
Severity
High
CVE ID
CVE-2023-38332
Affected software versions
7201 and older
Fixed version
7202
Fixed on
July 01, 2023
Details
ADManager Plus builds 7201 and older are reported to have a security vulnerability which can be exploited by 2FA-enabled technicians to gain access to other privileged accounts. This has been fixed in the build 7202; its release notes can be found here.
Impact
2FA-enabled technicians can gain access to other privileged accounts by crafting an API request.
Steps to update
Update your ADManager Plus instance to its latest build by installing the service pack.
Acknowledgement
This issue was reported by dalt4sec via Zoho’s Bug Bounty program.
Select a language to translate the contents of this web page: