CVE-2021-28382 - OpenCVE

Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

Access Vector Network

Access Complexity Medium

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:M/Au:S/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Zohocorp	Manageengine Key Manager Plus

Configuration 1 [-]

OR	cpe:2.3:a:zohocorp:manageengine_key_manager_plus::::::::
	cpe:2.3:a:zohocorp:manageengine_key_manager_plus:6.0:6000::::::

References

Link	Resource
https://raxis.com/blog/cve-2021-28382	Exploit Third Party Advisory
https://www.manageengine.com/key-manager/release-notes.html#6001	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-06-07T09:45:15

Updated: 2021-06-11T14:50:52

Reserved: 2021-03-15T00:00:00

Link: CVE-2021-28382

JSON object: View

NVD Information

Status : Analyzed

Published: 2021-06-07T10:15:07.837

Modified: 2021-06-14T15:21:37.560

Link: CVE-2021-28382

JSON object: View

Redhat Information

No data.

CWE

CWE-79

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zohocorp:manageengine_key_manager_plus:*:*:*:*:*:*:*:*", "matchCriteriaId": "0DA5C930-ACAB-48EE-AFEA-DDFB4D45493D", "versionEndExcluding": "6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:zohocorp:manageengine_key_manager_plus:6.0:6000:*:*:*:*:*:*", "matchCriteriaId": "2353BFFF-317D-45FE-AEE4-9C5181C4C449", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Zoho ManageEngine Key Manager Plus before 6001 allows Stored XSS on the user-management page while importing malicious user details from AD."}, {"lang": "es", "value": "Zoho ManageEngine Key Manager Plus versiones anteriores a 6001, permite ataques de tipo XSS almacenado en la p\u00e1gina user-management al importar detalles de usuarios maliciosos desde el AD"}], "id": "CVE-2021-28382", "lastModified": "2021-06-14T15:21:37.560", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 6.8, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-06-07T10:15:07.837", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://raxis.com/blog/cve-2021-28382"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.manageengine.com/key-manager/release-notes.html#6001"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}