CVE-2021-33256

Severity Score

8.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus Version: 6.1 Build No: 6101 can be exploited by an unauthenticated user. The j_username parameter seems to be vulnerable and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as CSV file. Note: The vendor disputes this vulnerability, claiming "This is not a valid vulnerability in our ADSSP product. We don't see this as a security issue at our side.

** EN DISPUTA ** Una vulnerabilidad de inyección CSV en el panel de inicio de sesión de ManageEngine ADSelfService Plus Versión: 6.1 Build No: 6101, puede ser explotada por un usuario no autenticado. El parámetro j_username parece ser vulnerable y se podría obtener un shell inverso si un usuario con privilegios exporta "User Attempts Audit Report" como archivo CSV. Nota: El proveedor disputa esta vulnerabilidad, afirmando que "Esta no es una vulnerabilidad válida en nuestro producto ADSSP. No vemos esto como un problema de seguridad por nuestra parte".

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-05-20 CVE Reserved
2021-08-09 CVE Published
2024-04-24 EPSS Updated
2024-08-03 CVE Updated
2024-08-03 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-1236: Improper Neutralization of Formula Elements in a CSV File

CAPEC

References (1)

URL	Tag	Source

URL	Date	SRC
https://docs.unsafe-inline.com/0day/manageengine-adselfservice-plus-6.1-csv-injection	2024-08-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Zohocorp Search vendor "Zohocorp"		Manageengine Adselfservice Plus Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus"				6.1 Search vendor "Zohocorp" for product "Manageengine Adselfservice Plus" and version "6.1"		6101		Affected