CVE-2021-20148: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

CVE-2021-20148 is a security vulnerability discovered in ManageEngine ADSelfService Plus affecting versions below build 6116. The vulnerability relates to password policy file storage and access control issues when the application is configured with multiple Windows domains (Tenable Research).

The vulnerability stems from the application storing password policy files for each domain under the html/ web root with predictable filenames based on domain names. The CVSS v3.1 base score for this vulnerability is 4.3 (Medium severity), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

When ADSelfService Plus is configured with multiple Windows domains, the vulnerability allows a user from one domain to obtain the password policy information for another domain. This information disclosure could potentially aid attackers in understanding password requirements of other domains (ManageEngine).

The vulnerability has been fixed in ManageEngine ADSelfService Plus build 6116. Organizations should upgrade to this version or later to address the security issue. The fix includes restricting access to the domain password policy HTML for all users (ManageEngine).