Security vulnerability in AD Self Password Reset v3.0.3.0 and older
We recently discovered that there is a security vulnerability in AD Self Password Reset v3.0.3.0 and older.
This vulnerability allows unauthenticated password resets of arbitrary accounts. We don’t have any examples of anyone exploiting this vulnerability.
We are currently contacting all customers who have purchased AD Self Password Reset and offering them a free upgrade to the latest version of the program. We will ensure all customers are upgraded to the latest version so no customer is left running a vulnerable version. If the contact we have for your organization does not get back to us to confirm the upgrade then we will try to contact your IT department to obtain a new contact.
We are sorry this has happened and apologize for any inconvenience this may have caused you. We have worked with a security consultancy to make sure we fixed the issue correctly and in the safest way possible for our customers and users.
How can I resolve this vulnerability?
Check the version of a file named PasswordReset.dll which can be found in the ‘bin’ folder.If the file is version 3.0.2.9 or older then you need to install the latest version of the program which can be downloaded below.
The latest version as of 7th Dec 2015 is 3.0.4.0.
https://www.dovestones.com/downloads/demos/ADSelfPasswordResetSetup.msi
The upgrade steps can be found below.
https://www.dovestones.com/upgrading-ad-self-password-reset/
If you have lost your license please contact [email protected] and we will find this for you.
More information
If you have any questions please contact [email protected].