Vulnerability Details : CVE-2010-3272
accounts/ValidateAnswers in the security-questions implementation in ZOHO ManageEngine ADSelfService Plus before 4.5 Build 4500 makes it easier for remote attackers to reset user passwords, and consequently obtain access to arbitrary user accounts, via a modified (1) Hide_Captcha or (2) quesList parameter in a validateAll action.
Vulnerability category: Input validation
Exploit prediction scoring system (EPSS) score for CVE-2010-3272
Probability of exploitation activity in the next 30 days: 3.61%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 90 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2010-3272
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:P/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2010-3272
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2010-3272
-
http://www.securityfocus.com/archive/1/516396/100/0/threaded
SecurityFocus
-
http://securityreason.com/securityalert/8089
ZOHO ManageEngine ADSelfService multiple vulnerabilities - CXSecurity.com
-
http://www.coresecurity.com/content/zoho-manageengine-vulnerabilities
ZOHO ManageEngine ADSelfService multiple vulnerabilities | Core SecurityExploit
-
http://www.securityfocus.com/bid/46331
ManageEngine ADSelfService Plus Multiple VulnerabilitiesExploit
-
https://exchange.xforce.ibmcloud.com/vulnerabilities/65350
ManageEngine ADSelfService Plus password recovery weak security CVE-2010-3273 Vulnerability Report
-
http://www.vupen.com/english/advisories/2011/0392
Webmail | OVH- OVHVendor Advisory
Products affected by CVE-2010-3272
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*