ManageEngine Applications Manager Stored Cross-Site Scripting Vulnerability (CVE-2021-31813)

Raxis’ Matt Dunn has discovered another ManangeEngine cross-site scripting (XSS) vulnerability, this time in the Applications Manager product (CVE-2021-31813).

Categories:

Posted on

By

ManageEngine Applications Manager Stored Cross-Site Scripting Vulnerability (CVE-2021-31813)

I’m Matt Dunn, lead penetration tester here at Raxis.This is a summary of the third stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the Applications Manager product.

Summary

Recently I discovered a stored Cross-Site Scripting vulnerability in ManageEngine Applications Manager. The vulnerability exists in a users’ name fields when they are imported from Active Directory. This can be performed in any of the name fields and is executed when selecting the user for import on /admin/userconfiguration.do after fetching users from the domain. After the import loads and the user is selected, the user’s name is loaded with unescaped content, allowing malicious JavaScript to be reflected back to the user.

Proof of Concept

The vulnerability can be triggered by inserting html content, specifically script tags, into the first or last name of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

<script>alert(document.cookie)</script>

An example of this in the Last Name field of one such user can be seen here:

Stored XSS Payload

After that user is selected and the details load on the “User Imported from Active Directory” page, the HTML is presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML as loaded can be seen here:

Unescaped JavaScript Tags

After loading the selected user, the malicious content is executed, as shown below:

JavaScript Execution to Display User's Cookie in an Alert Box

Affected Versions

Raxis discovered this vulnerability on Manage Engine Applications Manager 15, Build 15080.

Remediation

Upgrade ManageEngine Applications Manager to Version 15.1 Build 15130 or later immediately which can be found here:

Disclosure Timeline

  • March 18, 2021 – Vulnerability reported to Zoho
  • March 18, 2021 – Zoho begins investigation into report
  • April 27, 2021 – Zoho releases fixed version 15.1 Build 15130
  • April 27, 2021 – CVE-2021-31813 is assigned to this vulnerability

CVE Links

Ready to See Raxis One In Action?

See how we transform traditional pen testing into interactive security intelligence that keeps you informed every step of the way. From real-time attack progression to detailed remediation guidance, Raxis One gives you unprecedented visibility into your security posture as it’s being tested.

More From Raxis

  • Choosing a Penetration Testing Company: Part 3

    Choosing a Penetration Testing Company: Part 3

    By Caroline Kelly • July 29, 2025
  • Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities

    Microsoft Releases Security Patch for Actively Exploited On-Premises SharePoint Vulnerabilities

    By Jason Taylor • July 22, 2025
  • Choosing a Penetration Testing Company: Part 2

    Choosing a Penetration Testing Company: Part 2

    By Brad Herring • July 1, 2025
  • Cisco Releases Patch for CVE-2025-20188 - 10.0 CVSS

    Cisco Releases Patch for CVE-2025-20188 – 10.0 CVSS

    By Scottie Cole • May 8, 2025