CVE-2021-36772

Vulnerability

A stored cross-site scripting (XSS) vulnerability exists in Zoho ManageEngine ADManager Plus before build 7110 [1]. The bug allows an authenticated user to inject arbitrary HTML or JavaScript into report configuration fields, which is then stored and executed when other users view the affected reports. Affected versions are all builds prior to 7110.

Exploitation

An attacker must be an authenticated user with permission to modify report configurations. The attacker crafts a payload containing malicious JavaScript and saves it in a report configuration field. When an administrator or any other user with access to the report views the stored configuration, the payload executes in the context of the victim's browser session. No additional user interaction beyond viewing the report is required once the payload is stored.

Impact

Successful exploitation leads to arbitrary JavaScript execution within the victim's browser session within the application's context. The attacker can perform actions on behalf of the victim, such as modifying configurations, exfiltrating sensitive data displayed in the application (e.g., user attributes, group memberships), or performing administrative actions if the victim is a privileged user.

Mitigation

The vulnerability is fixed in ManageEngine ADManager Plus build 7110 and later [1]. Administrators should upgrade to build 7110 or any subsequent build. There is no known workaround, and the vendor released the fix as part of a security update.