I’m Matt Dunn, lead penetration tester at Raxis.This is a summary of the first stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the AD Self Service Plus Version 6.1.
Proof of Concept
The vulnerability can be triggered by inserting HTML content, in this case script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:
An example of this on one such user is shown here:
After loading the search page, clicking the “More” tab triggers the vulnerability, which is shown in Figure 3:
Raxis discovered this vulnerability on ManageEngine AD Self Service Plus 6.1, build 6100.
- February 19, 2021 – Vulnerability reported to Zoho
- February 19, 2021 – Zoho begins investigation into report
- March 5, 2021 – CVE-2021-27956 assigned to this vulnerability
- May 8, 2021 – Zoho releases patch for this vulnerability