CVE-2021-36771

Vulnerability

Zoho ManageEngine ADManager Plus versions prior to build 7110 contain a reflected cross-site scripting (XSS) vulnerability. The bug exists in the web interface where user-supplied input is not properly sanitized before being reflected back in the response. No special configuration is required for the vulnerable code path to be reachable; any authenticated or unauthenticated user can trigger it by visiting a crafted URL. [1]

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL containing JavaScript payloads. The victim must be tricked into clicking the link while authenticated to the ADManager Plus console. No additional privileges are required; the attacker does not need to be authenticated. The XSS executes in the context of the victim's session. [1]

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser within the ADManager Plus application context. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The impact is limited to the browser session and does not directly compromise the server. [1]

Mitigation

The vulnerability is fixed in ManageEngine ADManager Plus build 7110, released on an unspecified date prior to the CVE publication. Users should upgrade to build 7110 or later. No workarounds are documented. The product is not listed on CISA's Known Exploited Vulnerabilities catalog. [1]