CVE-2021-27956
Description
Zoho ManageEngine ADSelfService Plus before 6104 allows stored XSS on the /webclient/index.html#/directory-search user search page via the e-mail address field.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zoho ManageEngine ADSelfService Plus before build 6104 contains a stored XSS vulnerability in the e-mail field of the directory search results page.
Vulnerability
Zoho ManageEngine ADSelfService Plus version 6.1 (up to build 6100) contains a stored cross-site scripting (XSS) vulnerability in the /webclient/index.html#/directory-search user search page. The flaw resides in the e-mail address field displayed when clicking the "More" tab on search results [2]. When a user's e-mail field contains HTML or JavaScript payloads, the application renders them unescaped in the browser [2]. Affected versions include builds prior to 6104 [1].
Exploitation
An attacker needs the ability to write to the e-mail attribute of an Active Directory user; this typically requires administrative privileges or delegated write access to directory objects [2]. The attacker inserts a malicious payload, such as ``, into the victim's e-mail field [2]. When any user (including administrators) searches for that directory entry and clicks the "More" tab, the script executes in the context of the viewer's session [2]. No additional user interaction beyond that click is required.
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any user who views the search results for the compromised account [2]. This can lead to session cookie theft, redirection to malicious sites, or perform actions on behalf of the victim within the ADSelfService Plus web interface. The impact is at the web application UI layer, with potential privileged access if an administrator views the page.
Mitigation
Zoho released build 6104 on May 8, 2021 to address this vulnerability [2]. Administrators should upgrade to build 6104 or later immediately [1]. No workaround is documented if an upgrade is not possible. The product is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho ManageEngine/ADSelfService Plusdescription
- Range: <6104
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The email field of Active Directory user search results is rendered without HTML escaping, allowing stored cross-site scripting."
Attack vector
An attacker inserts malicious HTML (e.g., `
Affected code
The vulnerability exists in the email field of search results on the page `/webclient/index.html#/directory-search` [ref_id=1]. After searching for a user and clicking the "More" tab, the email field is loaded with unescaped content [ref_id=1].
What the fix does
The advisory does not include a patch diff, but the remediation guidance states to upgrade ManageEngine ADSelfService Plus to Build Version 6104 [ref_id=1]. The fix presumably escapes or sanitizes the email field content before rendering it on the directory-search page, preventing script execution [ref_id=1].
Preconditions
- inputAn attacker must be able to set or modify the email address field of an Active Directory user (e.g., via AD management tools or privileged access)
- inputA victim user must navigate to the directory-search page and click the 'More' tab on the attacker-controlled user's search result
Reproduction
1. Insert `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6104-released-with-an-important-security-fixesmitrex_refsource_CONFIRM
- raxis.com/blog/cve-2021-27956-manage-engine-xssmitrex_refsource_MISC
- www.manageengine.commitrex_refsource_MISC
News mentions
0No linked articles in our index yet.