Vulnerability CVE-2020-9347


Published: 2020-03-16   Modified: 2020-03-17

Description:
** DISPUTED ** Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products.

Type:

CWE-74

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Zohocorp -> Manageengine password manager pro 

 References:
https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt

Copyright 2021, cxsecurity.com

 

Back to Top