SB2021052405 - Multiple vulnerabilities in ManageEngine ADSelfService Plus

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Stored cross-site scripting (CVE-ID: CVE-2021-27956)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the "/webclient/index.html#/directory-search" page. A remote attacker can inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Information disclosure (CVE-ID: CVE-2021-31874)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application. A remote attacker can obtain sensitive information about the password-sync database application.

3) Improper Authorization (CVE-ID: CVE-2021-37421)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to an error when handling the X-Forwarded-For HTTP header information while accessing the admin portal, if access restrictions are based on IP addresses. A remote attacker can pass an IP address from the whitelist via the X-Forwarded-For HTTP header while accessing the web interface from another IP address, bypass IP-based access restrictions and gain unauthorized access to the admin web interface.

4) Cross-site scripting (CVE-ID: CVE-2021-37416)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data on the loadframe page. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

5) Improper control of interaction frequency (CVE-ID: CVE-2021-37417)

The vulnerability allows a remote attacker to bypass CAPTCHA.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can bypass CAPTCHA protection on the login page and perform brute-force attacks.

Remediation

Install update from vendor's website.

References

• https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes
• https://raxis.com/blog/cve-2021-27956-manage-engine-xss
• https://www.manageengine.com
• https://blog.stmcyber.com/vulns/cve-2021-37421/
• https://blog.stmcyber.com/vulns/cve-2021-37416/
• https://blog.stmcyber.com/vulns/cve-2021-37417/