Headline
CVE-2023-41904: [Fixed] Generation of AuthToken without 2FA verification in ADManager Plus | CVE
Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass (for AuthToken generation) in REST APIs.
Vulnerability Details
Severity
Medium
CVE ID
CVE-2023-41904
Affected software version
7202 and older
Fixed version
7203
Fixed on
July 30, 2023
Details
The CVE- 2023-41904 refers to an issue in ADManager Plus versions 7202 and older where the REST APIs were accessible without proper 2FA verification.This has been fixed in the build 7203 and its release notes can be found here.
Impact
Authtokens used for the REST API request can be generated without the 2FA. Learn more about the generation of REST API AuthToken here.
Steps to update
Update your ADManager Plus instance to its latest build by installing the service pack.
Acknowledgement
This vulnerability was reported by the Vector0 Research Team.
Select a language to translate the contents of this web page: