Research & Development
$ #

CVE-2021-37416

Reflected XSS in LoadFrame page via single_signout parameter

6.1 (Medium)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

ManageEngine ADSelfService Plus

< 6104

Krzysztof Andrusiak and Marcin Ogorzelski

ADSelfServicePlus is prone to Reflected XSS attack via the single_signout parameter in /LoadFrame endpoint, potentially leading to victim's account takeover.

  • 17-03-2021 - Vulnerability reported to vendor
  • 18-03-2021 - First response from vendor
  • 08-05-2021 - Fixed version release
  • 30-08-2021 - Public disclosure