Lucene search

[email protected]CVE-2021-27956

HistoryMay 20, 2021 - 6:15 p.m.

CVE-2021-27956

2021-05-2018:15:00

CWE-79

[email protected]

web.nvd.nist.gov

cve-2021-27956

zoho

manageengine

adselfservice plus

stored xss

webclient

directory search

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

50.6%

JSON

Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.

CPENameOperatorVersion
zohocorp:manageengine_adselfservice_pluszohocorp manageengine adselfservice pluseq6.1

CPE	Name	Operator	Version
zohocorp:manageengine_adselfservice_plus	zohocorp manageengine adselfservice plus	eq	6.1

References

pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixes

raxis.com/blog/cve-2021-27956-manage-engine-xss

www.manageengine.com

Social References

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

4.3 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

50.6%

JSON

Related for CVE-2021-27956

prion1