| CVE ID | CVE-2015-8570 |
| CVSS SCORE | 7.4, AV:A/AC:M/Au:S/C:C/I:C/A:C |
| AFFECTED VENDORS |
Lepide |
| AFFECTED PRODUCTS |
Active Directory Self Service |
| VULNERABILITY DETAILS |
The specific flaw exists within processing of the password reset functionality of Active Directory Self Service. A user should only be able to change the password of other users who have explicitly delegated that power to him. By crafting request packets to the Lepide web service, a domain user can change the password of any user in the Active Directory domain. A malicious user can use this to appropriate the account of a Domain Administrator. |
| ADDITIONAL DETAILS |
Lepide has issued an update to correct this vulnerability. More details can be found at:
http://www.lepide.com/active-directory-self-service/ |
| DISCLOSURE TIMELINE |
|
| CREDIT | Alain Homewood |
