CVE-2021-33256 Information

Description

DISPUTED A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports �ser Attempts Audit Report\ as CSV file. Note: The vendor disputes this vulnerability claiming \This is not a valid vulnerability in our ADSSP product. We don’t see this as a security issue at our side.\

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Reference

https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

REQUIRED

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

8.8