Tag: Zoho

  • ManageEngine Key Manager Plus Cross-Site Scripting Vulnerability (CVE-2021-28382)

    I’m Matt Dunn, lead penetration tester here at Raxis. This is a summary of the second stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the Key Manager Plus Version 6000.

    Summary

    Recently I discovered a stored Cross-Site Scripting vulnerability in the Zoho-owned ManageEngine Key Manager Plus for Version 6000 (CVE-2021-28382). The vulnerability exists in any of a user’s details fields when they are imported from Active Directory. This can be performed in one of the name fields or the email field, and is executed when visiting the /apiclient/index.jsp#/Settings/UserManagement page. After this page loads, the user’s details are loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

    Proof of Concept

    The vulnerability can be triggered by inserting html content, specifically script tags, into the first name, last name, or email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <script>alert(document.cookie)</script>

    An example of this in the Last Name field of one such user can be seen here:

    Stored XSS Payload

    After that user’s details load on the UserManagement page, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML, as loaded, can be seen here:

    Unescaped JavaScript Tags

    After loading the UserManagement page, the malicious content is executed, as shown below:

    XSS Execution Displaying the User's Cookie

    Affected Versions

    Raxis discovered this vulnerability on Manage Engine Key Manager Plus 6000 (6.0.0), but any version below 6001 could be vulnerable when importing users from Active Directory.

    Remediation

    Upgrade ManageEngine Key Manager Plus to version 6001 or later immediately. Version 6001 can be found here: https://www.manageengine.com/key-manager/release-notes.html#6001

    Disclosure Timeline

    • March 5, 2021 – Vulnerability reported to Zoho
    • March 8, 2021 – Zoho begins investigation into report
    • March 13, 2021 – Zoho releases version 6001 to mitigate vulnerability
    • March 15, 2021 CVE-2021-28382 assigned to this vulnerability

    CVE Links

  • Cross-Site Scripting Vulnerability in ManageEngine AD Self Service Plus (CVE-2021-27956)

    I’m Matt Dunn, lead penetration tester at Raxis.This is a summary of the first stored cross-site scripting vulnerability I discovered while testing several Zoho-owned ManageEngine products. This vulnerability exists in the AD Self Service Plus Version 6.1.

    Summary

    Recently I discovered a stored cross-site scripting (XSS) vulnerability in the Zoho-owned ManageEngine AD Self Service Plus for Version 6.1 (CVE-2021-27956). The vulnerability exists in the email field of search results on the page: /webclient/index.html#/directory-search. After searching for a user, if the “More” tab is clicked, the email field is loaded with unescaped content, allowing for malicious JavaScript to be reflected back to users.

    Proof of Concept

    The vulnerability can be triggered by inserting HTML content, in this case script tags, into the email field of an Active Directory user. The following was inserted as a proof of concept to reflect the user’s cookie in an alert box:

    <script>alert(document.cookie)</script>

    An example of this on one such user is shown here:

    Stored XSS Payload

    After searching for that user, the HTML is then presented unescaped on the web page, which allows the script tags to be loaded as valid JavaScript. The unescaped HTML as loaded is shown here:

    Unescaped JavaScript Tags

    After loading the search page, clicking the “More” tab triggers the vulnerability, which is shown in Figure 3:

    XSS Payload Executed
    Affected Versions

    Raxis discovered this vulnerability on ManageEngine AD Self Service Plus 6.1, build 6100.

    Remediation

    Upgrade ManageEngine AD Self Service Plus to Build Version 6104 immediately. The ServicePack can be found here with release notes here.

    Disclosure Timeline
    • February 19, 2021 Vulnerability reported to Zoho
    • February 19, 2021 Zoho begins investigation into report
    • March 5, 2021 CVE-2021-27956 assigned to this vulnerability
    • May 8, 2021 Zoho releases patch for this vulnerability

    CVE Links