|CVSS SCORE||7.4, (AV:A/AC:M/Au:S/C:C/I:C/A:C)|
Active Directory Self Service
The specific flaw exists within processing of the password reset functionality of Active Directory Self Service. A user should only be able to change the password of other users who have explicitly delegated that power to him. By crafting request packets to the Lepide web service, a domain user can change the password of any user in the Active Directory domain. A malicious user can use this to appropriate the account of a Domain Administrator.
Lepide has issued an update to correct this vulnerability. More details can be found at: