CVE-2021-33256

Name of the Vulnerable Software and Affected Versions ManageEngine ADSelfService Plus version 6.1 Build No: 6101

Description A CSV injection vulnerability on the login panel of ManageEngine ADSelfService Plus can be exploited by an unauthenticated user. The j username parameter seems to be vulnerable, and a reverse shell could be obtained if a privileged user exports "User Attempts Audit Report" as a CSV file. The vendor disputes this issue, claiming it is not a valid vulnerability in their product.

Recommendations For ManageEngine ADSelfService Plus version 6.1 Build No: 6101, consider disabling the export of "User Attempts Audit Report" as a CSV file to minimize the risk of exploitation. Restrict access to the login panel to reduce the potential for unauthenticated users to exploit the vulnerability. At the moment, there is no information about a newer version that contains a fix for this vulnerability.