CVE-2021-37416: 
Zoho ManageEngine ADSelfService Plus vulnerability analysis and mitigation

Zoho ManageEngine ADSelfService Plus version 6103 and prior was discovered to contain a reflected Cross-Site Scripting (XSS) vulnerability in the loadframe page. The vulnerability was identified on March 17, 2021, and was assigned CVE-2021-37416. The issue was fixed in version 6104, which was released on May 8, 2021 (STM Cyber Blog).

The vulnerability exists in the /LoadFrame endpoint where the single_signout parameter was not properly sanitized, allowing for reflected XSS attacks. The vulnerability has been assigned a CVSS v3.1 base score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N, indicating that it requires user interaction but no privileges, and can potentially affect confidentiality and integrity (NVD).

The exploitation of this vulnerability could potentially lead to victim's account takeover through cross-site scripting attacks. The vulnerability allows attackers to inject malicious JavaScript code that could be executed in the context of the user's browser session (STM Cyber Blog).

The vulnerability was addressed in ManageEngine ADSelfService Plus version 6104, where special characters are now properly sanitized before the string is added into the HTML code. Organizations are advised to upgrade to version 6104 or later to protect against this vulnerability (ManageEngine).