A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
References
Link | Resource |
---|---|
https://www.horizonsecurity.it/lang_EN/advisories/?a=20&title=ManageEngine+ADSelfService+Plus+privilege+escalation++CVE202127214 | Exploit Third Party Advisory |
https://www.manageengine.com/products/self-service-password/release-notes.html | Release Notes Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
12 Jul 2022, 17:42
Type | Values Removed | Values Added |
---|---|---|
CWE | CWE-918 |
26 Feb 2021, 15:16
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 4.3
v3 : 6.1 |
CPE | cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6003:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6005:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6001:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6009:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6013:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6008:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6007:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6002:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6000:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6012:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6004:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:6006:*:*:*:*:*:* cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:6.0:-:*:*:*:*:*:* |
|
CWE | CWE-79 | |
References | (MISC) https://www.horizonsecurity.it/lang_EN/advisories/?a=20&title=ManageEngine+ADSelfService+Plus+privilege+escalation++CVE202127214 - Exploit, Third Party Advisory | |
References | (MISC) https://www.manageengine.com/products/self-service-password/release-notes.html - Release Notes, Vendor Advisory |
19 Feb 2021, 19:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-02-19 19:15
Updated : 2023-12-10 13:41
NVD link : CVE-2021-27214
Mitre link : CVE-2021-27214
CVE.ORG link : CVE-2021-27214
JSON object : View
Products Affected
zohocorp
- manageengine_adselfservice_plus