Admin portal access restriction bypass via X-Forwarded-For header
ManageEngine ADSelfService Plus
Krzysztof Andrusiak and Marcin Ogorzelski
ADSelfService Plus allows administrators to restrict Admin portal access based on IP address. An attacker can bypass this security mechanism using "X-Forwarded-For" header set to whitelisted IP address.
- 17-03-2021 - Vulnerability reported to vendor
- 18-03-2021 - First response from vendor
- 08-05-2021 - Fixed version release
- 30-08-2021 - Public disclosure