CVE-2021-37420 : Zoho ManageEngine ADSelfService Plus before 6112 is vulnerable to mail spoofing.

Products affected by CVE-2021-37420

Zohocorp » Manageengine Admanager Plus
Versions before (<) 6.1
cpe:2.3:a:zohocorp:manageengine_admanager_plus:*:*:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:-:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6100
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6100:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6101
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6101:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6102
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6102:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6103
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6103:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6104
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6104:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6105
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6105:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6106
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6106:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6107
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6107:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6108
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6108:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6109
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6109:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6110
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6110:*:*:*:*:*:*
Matching versions
Zohocorp » Manageengine Admanager Plus » Version: 6.1 Update 6111
cpe:2.3:a:zohocorp:manageengine_admanager_plus:6.1:6111:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-37420

EPSS FAQ

1.00%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 76 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-37420

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.3	MEDIUM	AV:N/AC:M/Au:N/C:N/I:P/A:N	8.6	2.9	NIST
Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
6.5	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N	2.8	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2021-37420

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2021-37420

https://www.manageengine.com

ManageEngine - IT Operations and Service Management Software
Product;Vendor Advisory

CVEs referencing this url
https://blog.stmcyber.com/vulns/cve-2021-37420/

CVE-2021-37420 - STM Cyber Blog
Exploit;Third Party Advisory
https://pitstop.manageengine.com/portal/en/community/topic/adselfservice-plus-6112-hotfix-release

ADSelfService Plus 6112 Hotfix Release
Patch;Vendor Advisory

CVEs referencing this url

Vulnerability Details : CVE-2021-37420

Products affected by CVE-2021-37420

Exploit prediction scoring system (EPSS) score for CVE-2021-37420

CVSS scores for CVE-2021-37420

CWE ids for CVE-2021-37420

References for CVE-2021-37420