Vulnerability Details : CVE-2018-5353
The custom GINA/CP module in Zoho ManageEngine ADSelfService Plus before 5.5 build 5517 allows remote attackers to execute code and escalate privileges via spoofing. It does not authenticate the intended server before opening a browser window. An unauthenticated attacker capable of conducting a spoofing attack can redirect the browser to gain execution in the context of the WinLogon.exe process. If Network Level Authentication is not enforced, the vulnerability can be exploited via RDP. Additionally, if the web server has a misconfigured certificate then no spoofing attack is required
Vulnerability category: Execute code
Products affected by CVE-2018-5353
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5504:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5505:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5512:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5513:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5502:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5503:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5510:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5511:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5500:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5501:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5508:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5509:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5516:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5506:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5507:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5514:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:5515:*:*:*:*:*:*
- cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:5.5:-:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-5353
3.58%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-5353
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2018-5353
-
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.Assigned by: nvd@nist.gov (Primary)
References for CVE-2018-5353
-
https://github.com/missing0x00/CVE-2018-5353
GitHub - missing0x00/CVE-2018-5353: CVE-2018-5353Exploit;Third Party Advisory
-
http://zoho.com
Zoho - Cloud Software Suite and SaaS Applications for BusinessesVendor Advisory
-
https://www.manageengine.com/products/self-service-password/release-notes.html
ADSelfService Plus Release NotesRelease Notes;Vendor Advisory
Jump to