I’m Matt Dunn, lead penetration tester here at Raxis. This is a summary of the second stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the Key Manager Plus Version 6000.
Proof of Concept
The vulnerability can be triggered by inserting html content, specifically script tags, into the first name, last name, or email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:
An example of this in the Last Name field of one such user can be seen here:
After loading the UserManagement page, the malicious content is executed, as shown below:
Raxis discovered this vulnerability on Manage Engine Key Manager Plus 6000 (6.0.0), but any version below 6001 could be vulnerable when importing users from Active Directory.
Upgrade ManageEngine Key Manager Plus to version 6001 or later immediately. Version 6001 can be found here: https://www.manageengine.com/key-manager/release-notes.html#6001
- March 5, 2021 – Vulnerability reported to Zoho
- March 8, 2021 – Zoho begins investigation into report
- March 13, 2021 – Zoho releases version 6001 to mitigate vulnerability
- March 15, 2021 – CVE-2021-28382 assigned to this vulnerability