CVE-2017-17552

/LoadFrame in Zoho ManageEngine AD Manager Plus build 6590 - 6613 allows attackers to conduct URL Redirection attacks via the src parameter, resulting in a bypass of CSRF protection, or potentially masquerading a malicious URL as trusted.
CSRF
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 55%
VendorProductVersion
zohocorpmanageengine_admanager_plus
𝑥
< 6.6
zohocorpmanageengine_admanager_plus
6.6:6601
zohocorpmanageengine_admanager_plus
6.6:6602
zohocorpmanageengine_admanager_plus
6.6:6610
zohocorpmanageengine_admanager_plus
6.6:6611
zohocorpmanageengine_admanager_plus
6.6:6612
zohocorpmanageengine_admanager_plus
6.6:6613
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/
https://umbrielsecurity.wordpress.com/2018/01/31/dangerous-url-redirection-and-csrf-in-zoho-manageengine-ad-manager-plus-cve-2017-17552/