CVE-2021-37416
Description
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Reflected XSS in Zoho ManageEngine ADSelfService Plus loadframe page via the single_signout parameter allows account takeover.
Vulnerability
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to a reflected cross-site scripting (XSS) vulnerability in the loadframe page. The vulnerability exists in the /LoadFrame endpoint and manifests due to insufficient sanitization of the single_signout parameter. An attacker can inject arbitrary JavaScript code via a crafted URL. Affected versions are those prior to build 6104 [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes a payload in the single_signout parameter. The provided proof-of-concept URL demonstrates injection of an iframe break and a script tag that executes alert(1). To trigger the attack, a victim must be persuaded to visit the crafted URL; no authentication is required, as the endpoint is publicly accessible. The exploit occurs in the context of the victim's browser session, and no special network position or privileges are needed [1].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser within the security context of the ADSelfService Plus application. This can lead to theft of session cookies, modification of page content, or redirection to malicious sites, potentially enabling account takeover. The CVSS vector is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating low confidentiality and integrity impact with a changed scope [1].
Mitigation
Zoho released a fixed version (build 6104) on 8 May 2021, which addresses this vulnerability. Users are advised to upgrade to version 6104 or later. No workarounds have been published for older, unsupported versions. The vulnerability was responsibly disclosed to the vendor on 17 March 2021, and public disclosure occurred on 30 August 2021 [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Zoho/ManageEngine ADSelfService Plusdescription
- Range: <=6103
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing output sanitization of the `single_signout` parameter in the `/LoadFrame` endpoint allows reflected XSS."
Attack vector
An unauthenticated attacker crafts a URL containing a malicious payload in the `single_signout` parameter of the `/LoadFrame` endpoint [ref_id=1]. The attacker then tricks a logged-in victim into visiting this crafted URL (e.g., via phishing or social engineering). Because the input is reflected unsanitized, the attacker's JavaScript executes in the victim's browser session, potentially leading to account takeover [ref_id=1].
Affected code
The vulnerability resides in the `/LoadFrame` endpoint of Zoho ManageEngine ADSelfService Plus. The `single_signout` parameter is reflected without proper sanitization, allowing an attacker to inject arbitrary HTML and JavaScript.
What the fix does
The advisory does not include a patch diff, but states that the fixed version (6104) was released on 08-05-2021 [ref_id=1]. The remediation likely involves proper input validation and output encoding of the `single_signout` parameter before reflecting it in the HTTP response, preventing script injection.
Preconditions
- authVictim must be logged into ADSelfService Plus
- inputAttacker must trick victim into visiting a crafted URL (e.g., via phishing)
- networkNo authentication required for the attacker to craft the malicious URL
Reproduction
Replace `alpha-manage:8888` with the target ADSSP server address and visit the following URL: `http://alpha-manage:8888/LoadFrame?frame_name=x&src=x&single_signout=x%27%3E%3C/iframe%3E%3Cscript%3Ealert(1)%3C/script%3E` [ref_id=1]. The injected JavaScript executes in the victim's browser.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- blog.stmcyber.com/vulns/cve-2021-37416/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.