aliceicl/CVE-2019-18411.txt

## CVE-2019-18411.txt
[Product Description]
Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are
attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone,
unintentionally. As a consequence, attackers could use the reset password function and control the system to send the
authentication code back to the channel that the attackers own.

------------------------------------------
[Vulnerability Type]
Cross Site Request Forgery (CSRF)

------------------------------------------
[Vendor of Product]
ManageEngine

------------------------------------------
[Affected Product Code Base]
ADSelfService Plus - Build No.5803

------------------------------------------
[Affected Component]
ADSelfService Plus; users' profile information page

------------------------------------------
[Attack Type]
Remote

------------------------------------------
[CVE Impact Other]
CSRF over the function that could manipulate profile information in order to do malicious password reset

------------------------------------------
[Attack Vectors]
General CSRF; web application

------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[PoC]
CSRF protection mechanism did not work on /ServletAPI/selfservice/updateLayoutDetails.

1) The Cookie “adscsrf” was not necessary, we could modify as we want.
2) The request parameter “adscsrf” was not necessary, we could remove it.
------------------------------------------
[Discoverer]
Pornsook Kornkitichai
https://incognitolab.com

------------------------------------------
	[Product Description]
	Zoho ManageEngine ADSelfService Plus 5.x through 5803 has CSRF on the users' profile information page. Users who are
	attacked with this vulnerability will be forced to modify their enrolled information, such as email and mobile phone,
	unintentionally. As a consequence, attackers could use the reset password function and control the system to send the
	authentication code back to the channel that the attackers own.

	------------------------------------------
	[Vulnerability Type]
	Cross Site Request Forgery (CSRF)

	------------------------------------------
	[Vendor of Product]
	ManageEngine

	------------------------------------------
	[Affected Product Code Base]
	ADSelfService Plus - Build No.5803

	------------------------------------------
	[Affected Component]
	ADSelfService Plus; users' profile information page

	------------------------------------------
	[Attack Type]
	Remote

	------------------------------------------
	[CVE Impact Other]
	CSRF over the function that could manipulate profile information in order to do malicious password reset

	------------------------------------------
	[Attack Vectors]
	General CSRF; web application

	------------------------------------------
	[Has vendor confirmed or acknowledged the vulnerability?]
	true
	------------------------------------------
	[PoC]
	CSRF protection mechanism did not work on /ServletAPI/selfservice/updateLayoutDetails.

	1) The Cookie “adscsrf” was not necessary, we could modify as we want.
	2) The request parameter “adscsrf” was not necessary, we could remove it.
	------------------------------------------
	[Discoverer]
	Pornsook Kornkitichai
	https://incognitolab.com

	------------------------------------------