ManageEngine Key Manager Plus Cross-Site Scripting Vulnerability (CVE-2021-28382)

Raxis’ Lead Penetration Tester Matt Dunn discovers another cross-site scripting vulnerability in Zoho’s MangeEngine Key Manager Plus (CVE-2021-28382).

Categories:

Posted on

By

Raxis Administrator

ManageEngine Key Manager Plus Cross-Site Scripting Vulnerability (CVE-2021-28382)

I’m Matt Dunn, lead penetration tester here at Raxis. This is a summary of the second stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the Key Manager Plus Version 6000.

Summary

Recently I discovered a stored Cross-Site Scripting vulnerability in the Zoho-owned ManageEngine Key Manager Plus for Version 6000 (CVE-2021-28382). The vulnerability exists in any of a user’s details fields when they are imported from Active Directory. This can be performed in one of the name fields or the email field, and is executed when visiting the /apiclient/index.jsp#/Settings/UserManagement page. After this page loads, the user’s details are loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

Proof of Concept

The vulnerability can be triggered by inserting html content, specifically script tags, into the first name, last name, or email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

<script>alert(document.cookie)</script>

An example of this in the Last Name field of one such user can be seen here:

Stored XSS Payload

After that user’s details load on the UserManagement page, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML, as loaded, can be seen here:

Unescaped JavaScript Tags

After loading the UserManagement page, the malicious content is executed, as shown below:

XSS Execution Displaying the User's Cookie

Affected Versions

Raxis discovered this vulnerability on Manage Engine Key Manager Plus 6000 (6.0.0), but any version below 6001 could be vulnerable when importing users from Active Directory.

Remediation

Upgrade ManageEngine Key Manager Plus to version 6001 or later immediately. Version 6001 can be found here: https://www.manageengine.com/key-manager/release-notes.html#6001

Disclosure Timeline

  • March 5, 2021 – Vulnerability reported to Zoho
  • March 8, 2021 – Zoho begins investigation into report
  • March 13, 2021 – Zoho releases version 6001 to mitigate vulnerability
  • March 15, 2021 CVE-2021-28382 assigned to this vulnerability

CVE Links

Written by

Raxis Administrator

Human Expertise Outsmarts AI in Pentesting

While AI tools offer speed in detecting known vulnerabilities, they fall short with 20-35% false positives and only 50-65% success on complex threats like business logic flaws, as per mainstream reports from Verizon and OWASP. Human penetration testers at Raxis deliver 85-90% detection rates, precise prioritization, and ethical adaptability, ensuring your organization stays ahead of real-world attacks.

Learn About AI

Partner With Raxis

Partnering with Raxis empowers your business with elite penetration testing services, competitive reseller pricing, and recurring revenue opportunities, all backed by a proven track record of excellence and a commitment to staying ahead of evolving cybersecurity threats.

Learn About Raxis Partner

Raxis Attack

Continuous, expert-led PTaaS combined with advanced automation to uncover and address hidden vulnerabilities, ensuring your business stays ahead of evolving cyber threats while maintaining regulatory compliance.

Learn About AI

Raxis Strike

Tailored, expert-led penetration testing that uncovers hidden vulnerabilities using real-world hacker techniques, providing actionable insights to strengthen your defenses and protect against sophisticated cyber threats.

Learn About Strike

Like what you’ve learned from Raxis?

Contact us to receive an expert-led penetration test, and we’ll also show you step-by-step how to recreate our attack against your own systems.

Article Tags

Categories

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.

Schedule a Demo

More From Raxis

  • Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities

    Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities
    By Jason Taylor • July 22, 2025
    Read More
  • OWASP Top 10 for LLM Applications

    OWASP Top 10 for LLM Applications Penetration Testing
    By Jason Taylor • July 15, 2025
    Read More
  • Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key

    Wireless Series: Using Wifite to Capture and Crack a WPA2 Pre-Shared Key for Penetration Testing
    By Scottie Cole • June 17, 2025
    Read More
  • Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing

    Jailbreak Journey: Transforming an iPad for Mobile App Penetration Testing
    By Jason Taylor • June 3, 2025
    Read More