CVE-2022-24681: ManageEngine AD SelfService Plus Stored Cross-Site Scripting (XSS)

I’m Matt Dunn, a lead penetration tester here at Raxis. Recently, I discovered a stored Cross-Site Scripting vulnerability in Zoho’s ManageEngine AD SelfService Plus.

Summary

The vulnerability exists in the /accounts/authVerify page, which is used for the forgot password, change password, and unlock account functionalities.

Proof of Concept

The vulnerability can be triggered by inserting html content, specifically tags that support JavaScript, into the first or last name of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

<img src=x onerror=”alert(document.cookie)”/>

An example of this in the Last Name field of one such user is shown here:

Stored XSS Payload

The next time that user forgets, attempts to change, or is locked out of their account and they load the authVerify page, their name is presented without being sanitized. The unescaped HTML as loaded can be seen in Figure 2:

Unescaped JavaScript Tags

After the user attempts to reset their password, the malicious content is executed, as shown in Figure 3:

JavaScript Execution to Display User's Cookie in an Alert Box

If the user must change their password on login, the malicious content is executed, as shown in Figure 4:

Payload Execution on Change Password Page

If the user attempts to unlock their account, the malicious content is executed, as shown in Figure 5:

Payload Execution on Account Unlock
Affected Versions

Raxis discovered this vulnerability on Manage Engine AD SelfService Plus 6.1 Build 6119.

Remediation

Upgrade ManageEngine AD SelfService Plus to Version 6.1 Build 6121 or later immediately:

Disclosure Timeline
  • January 22, 2022 – Vulnerability reported to Zoho
  • January 22, 2022 – Zoho begins investigation into report
  • February 9, 2022 CVE-2022-24681 is assigned to this vulnerability
  • March 7, 2022 – Zoho releases fixed version 6.1 Build 6121
CVE Links

 

More posts