CVE-2021-31813

Vulnerability

Stored cross-site scripting (XSS) vulnerability in Zoho ManageEngine Applications Manager before version 15.1 Build 15130 (fixed in 15130). The bug exists in the user import functionality from Active Directory. When importing users, the first and last name fields are not properly sanitized before being displayed on the /admin/userconfiguration.do page. An attacker who can control an Active Directory user's name (e.g., by creating a user with a crafted name) can inject arbitrary HTML/JavaScript. Affected versions include Build 15080 and earlier. [1]

Exploitation

An attacker must have the ability to create or modify an Active Directory user account with a malicious name containing script tags, e.g., `` in the first or last name. The attacker then needs to trigger an administrator or user with access to ManageEngine Applications Manager to import users from AD and select the malicious user. When the user details load, the injected script executes in the context of the application. No authentication is required beyond the ability to manage AD users and the victim's session. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of the victim user. This can lead to session hijacking (cookie theft), defacement, or further actions within the application's context. The attack is stored, meaning the malicious script persists and can affect any user who views the imported user details. [1]

Mitigation

Upgrade to ManageEngine Applications Manager version 15.1 Build 15130 or later, released on or around July 2021. The vendor has released a security update; download from the official site. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [2]