CVE-2021-33256

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

Published: Aug 9, 2021
Updated: Nov 8, 2023
CVE: CVE-2021-33256
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 9.3
AV:N/AC:M/Au:N/C:C/I:C/A:C

CWEs:

CWE-1236

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_adselfservice_plus	6.1-6101	6.1-6101.x

https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection

Vulnerability Database

289,784

CVE-2021-33256