CVE-2021-37420: 
Zoho ManageEngine ADManager Plus vulnerability analysis and mitigation

CVE-2021-37420 is an E-mail MIME injection vulnerability affecting ManageEngine ADSelfService Plus versions prior to build 6112. The vulnerability was discovered by Krzysztof Andrusiak and Marcin Ogorzelski and was reported to the vendor on July 5, 2021. The vulnerability allows unauthenticated attackers to send emails with arbitrary content to domain users by sending specially crafted requests to the '/RestAPI/PasswordSelfServiceAPI' endpoint (STM Cyber Blog, ManageEngine).

The vulnerability exists in the '/RestAPI/PasswordSelfServiceAPI' endpoint where insufficient validation of user-supplied input allows attackers to inject arbitrary content into emails. The vulnerability has been assigned a CVSS score of 6.5 (Medium) with the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N (STM Cyber Blog).

This vulnerability allows unauthenticated attackers to send emails containing any content to domain users, potentially enabling phishing attacks and other malicious email-based campaigns (ManageEngine).

The vulnerability was fixed in ADSelfService Plus build 6112. The fix includes validation of data sent to the 'ACTION_TO_PERFORM' parameter against a defined whitelist of accepted actions, and unknown actions are blocked (ManageEngine).