I’m Matt Dunn, a lead penetration tester here at Raxis. Recently, I discovered a stored Cross-Site Scripting vulnerability in Zoho’s ManageEngine AD SelfService Plus.
The vulnerability exists in the /accounts/authVerify page, which is used for the forgot password, change password, and unlock account functionalities.
Proof of Concept
<img src=x onerror=”alert(document.cookie)”/>
An example of this in the Last Name field of one such user is shown here:
The next time that user forgets, attempts to change, or is locked out of their account and they load the authVerify page, their name is presented without being sanitized. The unescaped HTML as loaded can be seen in Figure 2:
After the user attempts to reset their password, the malicious content is executed, as shown in Figure 3:
If the user must change their password on login, the malicious content is executed, as shown in Figure 4:
If the user attempts to unlock their account, the malicious content is executed, as shown in Figure 5:
Raxis discovered this vulnerability on Manage Engine AD SelfService Plus 6.1 Build 6119.
Upgrade ManageEngine AD SelfService Plus to Version 6.1 Build 6121 or later immediately:
- Download Link – https://www.manageengine.com/products/self-service-password/download.html
- Release Notes – https://www.manageengine.com/products/self-service-password/release-notes.html#6121
- January 22, 2022 – Vulnerability reported to Zoho
- January 22, 2022 – Zoho begins investigation into report
- February 9, 2022 – CVE-2022-24681 is assigned to this vulnerability
- March 7, 2022 – Zoho releases fixed version 6.1 Build 6121
- Mitre CVE – https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24681
- NVD – https://nvd.nist.gov/vuln/detail/CVE-2022-24681