I’m Matt Dunn, lead penetration tester here at Raxis.This is a summary of the third stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the Applications Manager product.
Proof of Concept
The vulnerability can be triggered by inserting html content, specifically script tags, into the first or last name of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:
An example of this in the Last Name field of one such user can be seen here:
After loading the selected user, the malicious content is executed, as shown below:
Raxis discovered this vulnerability on Manage Engine Applications Manager 15, Build 15080.
Upgrade ManageEngine Applications Manager to Version 15.1 Build 15130 or later immediately which can be found here:
- Download Link – https://www.manageengine.com/products/applications_manager/download.html
- Release Notes – https://www.manageengine.com/products/applications_manager/release-notes.html
- March 18, 2021 – Vulnerability reported to Zoho
- March 18, 2021 – Zoho begins investigation into report
- April 27, 2021 – Zoho releases fixed version 15.1 Build 15130
- April 27, 2021 – CVE-2021-31813 is assigned to this vulnerability