Stored XSS Vulnerability in Zoho ManageEngine ADSelfService Plus
CVE-2021-27956

6.1MEDIUM

Key Information:

Vendor

Zohocorp
Status
Manageengine Adselfservice Plus
Vendor
CVE Published:
20 May 2021

What is CVE-2021-27956?

Zoho ManageEngine ADSelfService Plus prior to version 6104 is susceptible to a stored XSS vulnerability when users interact with the search feature on the directory search page. This issue arises through the email address field, where an attacker can inject malicious scripts that may be executed in the context of an unsuspecting user. As a result, unauthorized actions and data exposure can occur, impacting the overall integrity and security of the application.

References

https://www.manageengine.com
x_refsource_MISC
https://raxis.com/blog/cve-2021-27956-manage-engine-xss
x_refsource_MISC
https://pitstop.manageengine.com/portal/en/community/topi...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.