CVE-2021-27214

Name of the Vulnerable Software and Affected Versions: Zoho ManageEngine ADSelfService Plus versions through 6013

Description: A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet allows a remote unauthenticated attacker to perform blind HTTP requests or conduct a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request.

Recommendations: For versions through 6013, consider restricting access to the ProductConfig servlet to minimize the risk of exploitation. As a temporary workaround, limit the ability to perform HTTP requests from the administrative interface until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.