CVE-2021-37416
published 2021-08-30CVE-2021-37416: Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
PriorityP336medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.93%
85.4th percentile
Zoho ManageEngine ADSelfService Plus version 6103 and prior is vulnerable to reflected XSS on the loadframe page.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zohocorp | manageengine_adselfservice_plus | < 6.1 | 6.1 |
| zohocorp | manageengine_adselfservice_plus | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Nuclei
Zoho ManageEngine ADSelfService Plus <=6103 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2021-37416 [MEDIUM] Zoho ManageEngine ADSelfService Plus <=6103 - Cross-Site Scripting
Zoho ManageEngine ADSelfService Plus 6103) to mitigate this vulnerability.
reference:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37416
- https://blog.stmcyber.com/vulns/cve-2021-37416/
- https://nvd.nist.gov/vuln/detail/CVE-2021-37416
- https://github.com/ARPSyndicate/kenzer-templates
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2021-37416
cwe-id: CWE-79
epss-score: 0.07004
epss-percentile: 0.91487
cpe: cpe:2.3:a:zohocorp:manageengine_adselfservice_plus:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: zohocorp
product: manageengine_adselfservice_plus
shodan-query:
- http.title:"ManageEngine"
- http.title:"adselfservice plus"
- http.title:"manageengine"
fofa-query:
- title="manageengine"
- title="adselfs
2021-08-30
Published