CVE-2021-33256
HIGHManageEngine ADSelfService Plus <6.1.6101 - CSV Injection
Title source: llmDescription
A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection
Scores
CVSS v3
8.8
EPSS
0.7900
EPSS Percentile
99.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (1)
zohocorp/manageengine_adselfservice_plus
6.1 6101
Published
Aug 09, 2021
Tracked Since
Feb 18, 2026