CVE-2021-27214

Vulnerability

The ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through version 6013 is vulnerable to Server-side Request Forgery (SSRF). A remote unauthenticated attacker can send a crafted HTTP request, resulting in blind HTTP requests from the server or a Cross-site Scripting (XSS) attack against the administrative interface. This issue is distinct from CVE-2019-3905. [1] [2]

Exploitation

An unauthenticated attacker with network access to the ADSelfService Plus server can exploit this by sending a specially crafted HTTP request to the vulnerable servlet. The attack does not require any prior authentication or user interaction, and no special privileges are needed. The attacker can trigger the server to make blind HTTP requests or inject malicious scripts into administrative interface responses.

Impact

Successful exploitation allows the attacker to perform blind HTTP requests (which may access internal resources or exfiltrate data) or conduct reflected/stored XSS attacks against the administrative interface. This can lead to information disclosure, session hijacking, or further compromise of the admin console. [1]

Mitigation

The vendor, Zoho ManageEngine, has addressed this vulnerability in a subsequent build. Affected users should upgrade to the latest version of ADSelfService Plus as indicated in the official release notes. No workarounds have been officially provided. [1]