CVE-2021-27214: XSS
First published: Fri Feb 19 2021(Updated: )
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Zohocorp Manageengine Adselfservice Plus | =6.0 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6000 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6001 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6002 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6003 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6004 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6005 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6006 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6007 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6008 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6009 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6012 | |
| Zohocorp Manageengine Adselfservice Plus | =6.0-6013 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2021-27214?
The severity of CVE-2021-27214 is medium with a CVSS score of 6.1.
How does CVE-2021-27214 affect Zoho ManageEngine ADSelfService Plus?
CVE-2021-27214 affects Zoho ManageEngine ADSelfService Plus versions 6.0 through 6013.
What is the vulnerability description of CVE-2021-27214?
CVE-2021-27214 is a Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus that allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP.
How can an attacker exploit CVE-2021-27214?
An attacker can exploit CVE-2021-27214 by sending malicious requests to the ProductConfig servlet and potentially perform actions on behalf of the application or access sensitive information.
Are there any references available for CVE-2021-27214?
Yes, you can find references for CVE-2021-27214 at the following links: [Reference 1](https://www.horizonsecurity.it/lang_EN/advisories/?a=20&title=ManageEngine+ADSelfService+Plus+privilege+escalation++CVE202127214), [Reference 2](https://www.manageengine.com/products/self-service-password/release-notes.html).
- collector/nvd-index
- agent/references
- agent/severity
- agent/weakness
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/description
- agent/last-modified-date
- agent/softwarecombine
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/zohocorp
- canonical/zohocorp manageengine adselfservice plus
- version/zohocorp manageengine adselfservice plus/6.0
- version/zohocorp manageengine adselfservice plus/6.0-6000
- version/zohocorp manageengine adselfservice plus/6.0-6001
- version/zohocorp manageengine adselfservice plus/6.0-6002
- version/zohocorp manageengine adselfservice plus/6.0-6003
- version/zohocorp manageengine adselfservice plus/6.0-6004
- version/zohocorp manageengine adselfservice plus/6.0-6005
- version/zohocorp manageengine adselfservice plus/6.0-6006
- version/zohocorp manageengine adselfservice plus/6.0-6007
- version/zohocorp manageengine adselfservice plus/6.0-6008
- version/zohocorp manageengine adselfservice plus/6.0-6009
- version/zohocorp manageengine adselfservice plus/6.0-6012
- version/zohocorp manageengine adselfservice plus/6.0-6013