Server-side Request Forgery in Zoho ManageEngine ADSelfService Plus
CVE-2021-27214

6.1MEDIUM

Key Information:

Vendor: Zohocorp
Status: Manageengine Adselfservice Plus
Vendor: CVE Published:; 19 February 2021

What is CVE-2021-27214?

The vulnerability in the ProductConfig servlet of Zoho ManageEngine ADSelfService Plus enables remote unauthenticated attackers to conduct blind HTTP requests. Additionally, this flaw can be exploited to execute Cross-site Scripting (XSS) attacks on the administrative interface, differentiating it from earlier reported issues. Proper mitigation is essential to safeguard against unauthorized access and maintain the security integrity of the application.

References

https://www.manageengine.com/products/self-service-passwo...

x_refsource_MISC

https://www.horizonsecurity.it/lang_EN/advisories/?a=20&t...

x_refsource_MISC

EPSS Score

10% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2021
Vulnerability Reserved
Feb 14, 2021

Zohocorp

What is CVE-2021-27214?

References

EPSS Score

CVSS V3.1

Timeline