Login Sign Up

CVE-2021-33256

8.8 HIGH
Remote Code Execution

📋 TL;DR

A CSV injection vulnerability in ManageEngine ADSelfService Plus allows unauthenticated attackers to inject malicious formulas into the login panel. When privileged users export audit reports as CSV files, these formulas can execute arbitrary code, potentially leading to remote command execution. This affects ADSelfService Plus version 6.1 Build 6101.

💻 Affected Systems

Products:
  • ManageEngine ADSelfService Plus
Versions: Version 6.1 Build 6101
Operating Systems: Windows, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vendor disputes this as a valid vulnerability, claiming it's not a security issue in their product.

📦 What is this software?

Manageengine Adselfservice Plus by Zohocorp

View all CVEs affecting Manageengine Adselfservice Plus →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Privileged user exports CSV report, triggering malicious payload that grants attacker remote shell access with administrative privileges, leading to full system compromise.

🟠

Likely Case

Attacker gains initial foothold through command execution, enabling lateral movement, data exfiltration, or ransomware deployment.

🟢

If Mitigated

With proper input validation and output encoding, malicious formulas are treated as plain text, preventing code execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires privileged user interaction (exporting CSV), but initial injection can be performed by unauthenticated users.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available as vendor disputes vulnerability. Consider upgrading to latest version and implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation to reject or sanitize CSV formula characters in j_username parameter

N/A - Requires code changes

CSV Output Encoding

all

Encode CSV output to treat formulas as plain text by prefixing with apostrophe or using proper escaping

N/A - Requires code changes

🧯 If You Can't Patch

  • Restrict CSV export functionality to trusted administrators only
  • Implement WAF rules to block CSV formula injection patterns in login requests

🔍 How to Verify

Check if Vulnerable:

Test by injecting CSV formula payload into j_username parameter during login and checking if it appears unescaped in exported CSV

Check Version:

Check ADSelfService Plus version in web interface or installation directory

Verify Fix Applied:

Verify that CSV exports properly escape or sanitize formula characters, treating them as plain text

📡 Detection & Monitoring

Log Indicators:

  • Unusual CSV export activity by privileged users
  • Login attempts with formula characters in username field

Network Indicators:

  • HTTP requests containing CSV formula patterns (=, +, -, @) in login parameters

SIEM Query:

source="adselfservice" AND (username="=cmd|'" OR username="+cmd|'" OR username="-cmd|'")

📊 Metadata

CVE ID: CVE-2021-33256
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-1236
Published: August 9, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-33256, you might also want to check these:

CVE-2022-45360 9.8

This vulnerability allows CSV injection attacks in the WordPress Commenter Emails plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-45810 9.8

This CVE describes a CSV injection vulnerability in the Icegram Express WordPress plugin. Attackers ...

Same vulnerability type (CWE-1236)
CVE-2022-46803 9.8

This vulnerability allows unauthenticated attackers to inject malicious formulas into CSV files expo...

Same vulnerability type (CWE-1236)