CVE-2021-42291: Active Directory Domain Services Elevation of Privilege Vulnerability

Zoho ManageEngine ADManager Plus before 7115 is vulnerable to a filter bypass that leads to file-upload remote code execution.

Zoho ManageEngine Patch Connect Plus before 90099 is vulnerable to unauthenticated remote code execution.

*What type of information could be disclosed by this vulnerability?* Exploiting this vulnerability could allow the disclosure of initialized and/or uninitialized memory in the process heap.

*Where can I find more information about Active Directory SAM Account hardening changes?* See Active Directory SAM Account hardening changes.

*Where can I find more information about the improved authentication process added by the update for CVE-2021-42287?* See Authentication updates.

*What can cause this vulnerability?* The vulnerability occurs due to improper validation of cmdlet arguments. *Does the attacker need to be in an authenticated role in the Exchange Server?* Yes, the attacker must be authenticated.

Zoho ManageEngine ADManager Plus before 7110 is vulnerable to blind XXE.

Zoho ManageEngine ADManager Plus version 7110 and prior has a Post-Auth OS command injection vulnerability.

Zoho ManageEngine ADManager Plus version 7110 and prior allows account takeover via SSO.

ManageEngine ADManager Plus before 7111 has Pre-authentication RCE vulnerabilities.

A stored cross-site scripting issue impacts certain areas of the Web UI for Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).

An elevated privileges issue related to Spring MVC calls impacts Code Insight v7.x releases up to and including 2020 R1 (7.11.0-64).