CVE-2021-28382
Description
Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ManageEngine Key Manager Plus before 6001 is vulnerable to stored XSS when importing malicious user details from Active Directory, allowing script execution on the user-management page.
Vulnerability
A stored cross-site scripting (XSS) vulnerability exists in Zoho ManageEngine Key Manager Plus versions before 6001. The flaw resides in the user-management page (/apiclient/index.jsp#/Settings/UserManagement). When user details are imported from Active Directory (AD), the first name, last name, or email fields are not properly sanitized before being stored. An attacker who controls user attributes in AD can inject malicious HTML or script content that is later reflected without escaping on the affected page [1][2]. All versions prior to build 6001 are vulnerable [2].
Exploitation
To exploit the vulnerability, an attacker must have the ability to modify user attributes in an Active Directory domain that is imported by ManageEngine Key Manager Plus. The attacker inserts a malicious payload, such as ``, into the first name, last name, or email field of an AD user [2]. When an administrator or any user with access to the user-management page loads that page, the injected script executes in the context of the browser session, requiring no additional user interaction beyond page navigation [2].
Impact
Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking via cookie theft, defacement, or further actions such as phishing or data exfiltration within the application's security context [2]. The scope of compromise is limited to the browser session of the user viewing the user-management page, but may allow the attacker to perform actions on behalf of that user if the application does not enforce additional protections.
Mitigation
The vendor released version 6001 (build 6001) to address this vulnerability. The fixed version is available for download from the ManageEngine Key Manager Plus release notes [1]. Users are strongly advised to upgrade to version 6001 or later immediately [2]. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine Key Manager Plusdescription
- Range: <6001
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User details imported from Active Directory are rendered unescaped on the UserManagement page, allowing stored XSS."
Attack vector
An attacker who can control or modify Active Directory user attributes (first name, last name, or email) inserts malicious JavaScript, such as `
Affected code
The vulnerability exists in the user-management page at `/apiclient/index.jsp#/Settings/UserManagement`. When user details (first name, last name, or email) are imported from Active Directory, the application loads these fields with unescaped HTML content [ref_id=1].
What the fix does
The advisory states that Zoho released version 6001 to mitigate the vulnerability [ref_id=1]. No patch diff is provided in the bundle, but the remediation guidance is to upgrade ManageEngine Key Manager Plus to version 6001 or later immediately [ref_id=1].
Preconditions
- inputThe attacker must be able to control or modify Active Directory user attributes (first name, last name, or email) that will be imported into Key Manager Plus.
- authA user with access to the /apiclient/index.jsp#/Settings/UserManagement page must load the imported user's details.
Reproduction
Insert HTML content, specifically a script tag such as `
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- raxis.com/blog/cve-2021-28382mitrex_refsource_MISC
- www.manageengine.com/key-manager/release-notes.htmlmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.