CVE-2021-28958
Unauthenticated RCE in password change function
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ManageEngine ADSelfService Plus
< 6102
Krzysztof Andrusiak and Marcin Ogorzelski
In some cases user password change is done using PowerShell script. User credentials inserted into such script are not properly sanitized (improper sanitization of double quoutes), leading to PowerShell script injection and remote code execution.
- Download CVE-2021-28958.py and modify the following values in the script:
URL
- ADSSP addressDOMAIN
- Active Directory domain configured in ADSSPCMD
- command to be executed on the ADSSP server - Execute CVE-2021-28958.py script (using Python 3 interpreter).
- Command defined in
CMD
variable will be executed on ADSSP server.
- 17-03-2021 - Vulnerability reported to vendor
- 18-03-2021 - First response from vendor
- 23-03-2021 - First patch release
- 24-03-2021 - Security issues with first patch reported to vendor
- 24-03-2021 - Updated patch for retest received from vendor
- 30-03-2021 - Updated patch release
- 30-08-2021 - Public disclosure