Research & Development
$ #

CVE-2021-37421

Admin portal access restriction bypass via X-Forwarded-For header

5.3 (Medium)

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

ManageEngine ADSelfService Plus

< 6104

Krzysztof Andrusiak and Marcin Ogorzelski

ADSelfService Plus allows administrators to restrict Admin portal access based on IP address. An attacker can bypass this security mechanism using "X-Forwarded-For" header set to whitelisted IP address.

  • 17-03-2021 - Vulnerability reported to vendor
  • 18-03-2021 - First response from vendor
  • 08-05-2021 - Fixed version release
  • 30-08-2021 - Public disclosure