TLDR Lepide AD Self-Service (LADSS) is vulnerable to a forced browsing issue that allows an unauthenticated actor to download an encrypted backup, however the backup is encrypted with a static key that can be extracted from the application code. Successful decryption gives the actor access to cleartext credentials which can