CVE-2020-9347

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
VendorProductVersion
zohocorpmanageengine_password_manager_pro
10.0
zohocorpmanageengine_password_manager_pro
10.0:build10001
zohocorpmanageengine_password_manager_pro
10.1:build10100
zohocorpmanageengine_password_manager_pro
10.1:build10101
zohocorpmanageengine_password_manager_pro
10.1:build10102
zohocorpmanageengine_password_manager_pro
10.1:build10103
zohocorpmanageengine_password_manager_pro
10.1:build10104
zohocorpmanageengine_password_manager_pro
10.2:build10200
zohocorpmanageengine_password_manager_pro
10.3:build10300
zohocorpmanageengine_password_manager_pro
10.3:build10301
zohocorpmanageengine_password_manager_pro
10.3:build10302
zohocorpmanageengine_password_manager_pro
10.4
zohocorpmanageengine_password_manager_pro
10.4:build10400
zohocorpmanageengine_password_manager_pro
10.4:build10401
zohocorpmanageengine_password_manager_pro
10.4:build10402
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt
https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt