CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2021-33256

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.163

EPSS Ranking 94.5%

CVSS Severity

CVSS v3 Score 8.8

CVSS v2 Score 9.3

References

https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection

Products affected by CVE-2021-33256

Zohocorp » Manageengine Adselfservice Plus » Version: 6.1

cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.1

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2021-33256

Products

Pricing

Contact Us