CVE-2020-9347
First published: Mon Mar 16 2020(Updated: )
** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ManageEngine Password Manager Pro | =10.0 | |
| ManageEngine Password Manager Pro | =10.0-build10001 | |
| ManageEngine Password Manager Pro | =10.1-build10100 | |
| ManageEngine Password Manager Pro | =10.1-build10101 | |
| ManageEngine Password Manager Pro | =10.1-build10102 | |
| ManageEngine Password Manager Pro | =10.1-build10103 | |
| ManageEngine Password Manager Pro | =10.1-build10104 | |
| ManageEngine Password Manager Pro | =10.2-build10200 | |
| ManageEngine Password Manager Pro | =10.3-build10300 | |
| ManageEngine Password Manager Pro | =10.3-build10301 | |
| ManageEngine Password Manager Pro | =10.3-build10302 | |
| ManageEngine Password Manager Pro | =10.4 | |
| ManageEngine Password Manager Pro | =10.4-build10400 | |
| ManageEngine Password Manager Pro | =10.4-build10401 | |
| ManageEngine Password Manager Pro | =10.4-build10402 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2020-9347.
What is the severity rating of CVE-2020-9347?
CVE-2020-9347 has a severity rating of 9.8 (Critical).
What is the affected software?
The affected software is Zoho ManageEngine Password Manager Pro versions 10.0 through 10.4.
How can this vulnerability be exploited?
This vulnerability can be exploited through a crafted name that is mishandled by the Export Passwords feature.
Is there a fix or mitigation available for this vulnerability?
At the time of this report, the vendor disputes the significance of this report, so there may not be an official fix or mitigation available.
- agent/type
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/status
- agent/softwarecombine
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/first-publish-date
- agent/event
- agent/last-modified-date
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-index
- vendor/zohocorp
- canonical/manageengine password manager pro
- version/manageengine password manager pro/10.0
- version/manageengine password manager pro/10.0-build10001
- version/manageengine password manager pro/10.1-build10100
- version/manageengine password manager pro/10.1-build10101
- version/manageengine password manager pro/10.1-build10102
- version/manageengine password manager pro/10.1-build10103
- version/manageengine password manager pro/10.1-build10104
- version/manageengine password manager pro/10.2-build10200
- version/manageengine password manager pro/10.3-build10300
- version/manageengine password manager pro/10.3-build10301
- version/manageengine password manager pro/10.3-build10302
- version/manageengine password manager pro/10.4
- version/manageengine password manager pro/10.4-build10400
- version/manageengine password manager pro/10.4-build10401
- version/manageengine password manager pro/10.4-build10402
- status/disputed