CVE-2021-37420

Name

E-mail MIME injection in /RestAPI/PasswordSelfServiceAPI endpoint

CVSS score

6.5 (Medium)

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Product name

ManageEngine ADSelfService Plus

Confirmed exploitable versions

< 6112

Researcher

Krzysztof Andrusiak and Marcin Ogorzelski

Description

An unauthenticated attacker can send emails with any content to domain users by sending specially crafted requests to "/RestAPI/PasswordSelfServiceAPI" endpoint.

Proof-of-concept

Configure mail server in ADSSP.
Make sure that "victim" user has e-mail address set in Active Directory.
Modify the following parameters in CVE-2021-37420.py script:
URL - ADSSP server URL
DOMAIN - domain name (FQDN)
USERNAME - user from step 2 (AD username, not e-mail address)
HTML_CONTENT - phishing email content
Execute CVE-2021-37420.py script - user should receive modified e-mail.

Timeline

07-05-2021 - Vulnerability reported to vendor
07-05-2021 - First response from vendor
24-06-2021 - Update from vendor
26-08-2021 - Fixed version release
21-02-2022 - Public disclosure
21-02-2022 - PoC release

References

https://www.manageengine.com/products/self-service-password/release-notes.html#6112
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release
https://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-37420