CVE-2021-33256

moderate-risk
Published 2021-08-09

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

Do I need to act?

!
17.4% chance of exploitation in next 30 days
EPSS score — higher than 83% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.8/10 High
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Zohocorp

References (2)

Exploit https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-inje...
Exploit https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-inje...
48
/ 100
moderate-risk
Severity 30/34 · Critical
Exploitability 13/34 · Low
Exposure 5/34 · Minimal