CVE-2020-9347

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products

Published: Mar 16, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-9347
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: High
Score: 7.5
AV:N/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-1236

Affected Software
References

Software	From	Fixed in
zohocorp / manageengine_password_manager_pro	10.4	10.4.x
zohocorp / manageengine_password_manager_pro	10.4-build10400	10.4-build10400.x
zohocorp / manageengine_password_manager_pro	10.4-build10402	10.4-build10402.x
zohocorp / manageengine_password_manager_pro	10.4-build10401	10.4-build10401.x
zohocorp / manageengine_password_manager_pro	10.3-build10301	10.3-build10301.x
zohocorp / manageengine_password_manager_pro	10.3-build10302	10.3-build10302.x
zohocorp / manageengine_password_manager_pro	10.3-build10300	10.3-build10300.x
zohocorp / manageengine_password_manager_pro	10.2-build10200	10.2-build10200.x
zohocorp / manageengine_password_manager_pro	10.1-build10101	10.1-build10101.x
zohocorp / manageengine_password_manager_pro	10.1-build10102	10.1-build10102.x
zohocorp / manageengine_password_manager_pro	10.1-build10103	10.1-build10103.x
zohocorp / manageengine_password_manager_pro	10.1-build10104	10.1-build10104.x
zohocorp / manageengine_password_manager_pro	10.1-build10100	10.1-build10100.x
zohocorp / manageengine_password_manager_pro	10.0-build10001	10.0-build10001.x
zohocorp / manageengine_password_manager_pro	10.0	10.0.x

https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt

Vulnerability Database

289,697

CVE-2020-9347