CVE-2021-33256

HIGH

ManageEngine ADSelfService Plus <6.1.6101 - CSV Injection

Title source: llm

Description

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

References (1)

[Exploit, Third Party Advisory] https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection

Scores

CVSS v3 8.8

EPSS 0.1741

EPSS Percentile 95.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (1)

zohocorp/manageengine_adselfservice_plus 6.1 6101

Published Aug 09, 2021

Tracked Since Feb 18, 2026