CVE-2023-28342: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2023-28342 is a denial-of-service (DoS) vulnerability discovered in Zoho ManageEngine ADSelfService Plus versions before build 6218. The vulnerability was disclosed on April 5, 2023, and affects the Mobile App Authentication API of the software (Vendor Advisory).

The vulnerability exists within the DomainUserSSPLogonAuth method and stems from improper input validation. It has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it can be exploited remotely without requiring authentication or user interaction (ZDI Advisory).

When successfully exploited, the vulnerability allows remote attackers to create a denial-of-service condition on the system. Specifically, the application would restart whenever a call with a vulnerable payload was sent to the Mobile App Authentication API (Vendor Advisory).

ManageEngine has released build 6218 and later versions to fix this vulnerability by restricting the Mobile App Authentication API from processing vulnerable payloads. Users are advised to update their ADSelfService Plus instance to the latest build using the service pack (Vendor Advisory).