6.1
CVE-2021-27214
- EPSS 10.52%
- Published 19.02.2021 19:15:12
- Last modified 21.11.2024 05:57:36
- Source cve@mitre.org
- Teams watchlist Login
- Open Login
A Server-side request forgery (SSRF) vulnerability in the ProductConfig servlet in Zoho ManageEngine ADSelfService Plus through 6013 allows a remote unauthenticated attacker to perform blind HTTP requests or perform a Cross-site scripting (XSS) attack against the administrative interface via an HTTP request, a different vulnerability than CVE-2019-3905.
Data is provided by the National Vulnerability Database (NVD)
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update-
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6000
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6001
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6002
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6003
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6004
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6005
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6006
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6007
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6008
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6009
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6012
Zohocorp ≫ Manageengine Adselfservice Plus Version6.0 Update6013
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 10.52% | 0.925 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| nvd@nist.gov | 4.3 | 8.6 | 2.9 |
AV:N/AC:M/Au:N/C:N/I:P/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-918 Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.