Lucene search

MitreCVE-2020-9347

HistoryMar 16, 2020 - 10:15 p.m.

CVE-2020-9347

2020-03-1622:15:15

CWE-1236

mitre

web.nvd.nist.gov

cve-2020-9347

zoho

manageengine

password manager pro

csv

excel

macro injection

vulnerability

nvd

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products

Affected configurations

Nvd

Node

zohocorpmanageengine_password_manager_proMatch10.0-

zohocorpmanageengine_password_manager_proMatch10.0build10001

zohocorpmanageengine_password_manager_proMatch10.1build10100

zohocorpmanageengine_password_manager_proMatch10.1build10101

zohocorpmanageengine_password_manager_proMatch10.1build10102

zohocorpmanageengine_password_manager_proMatch10.1build10103

zohocorpmanageengine_password_manager_proMatch10.1build10104

zohocorpmanageengine_password_manager_proMatch10.2build10200

zohocorpmanageengine_password_manager_proMatch10.3build10300

zohocorpmanageengine_password_manager_proMatch10.3build10301

zohocorpmanageengine_password_manager_proMatch10.3build10302

zohocorpmanageengine_password_manager_proMatch10.4-

zohocorpmanageengine_password_manager_proMatch10.4build10400

zohocorpmanageengine_password_manager_proMatch10.4build10401

zohocorpmanageengine_password_manager_proMatch10.4build10402

VendorProductVersionCPE
zohocorpmanageengine_password_manager_pro10.0cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.0:-:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.0cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.0:build10001:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.1cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10100:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.1cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10101:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.1cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10102:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.1cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10103:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.1cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10104:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.2cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.2:build10200:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.3cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10300:*:*:*:*:*:*
zohocorpmanageengine_password_manager_pro10.3cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10301:*:*:*:*:*:*

Vendor	Product	Version	CPE
zohocorp	manageengine_password_manager_pro	10.0	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.0:-::::::
zohocorp	manageengine_password_manager_pro	10.0	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.0:build10001::::::
zohocorp	manageengine_password_manager_pro	10.1	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10100::::::
zohocorp	manageengine_password_manager_pro	10.1	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10101::::::
zohocorp	manageengine_password_manager_pro	10.1	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10102::::::
zohocorp	manageengine_password_manager_pro	10.1	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10103::::::
zohocorp	manageengine_password_manager_pro	10.1	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.1:build10104::::::
zohocorp	manageengine_password_manager_pro	10.2	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.2:build10200::::::
zohocorp	manageengine_password_manager_pro	10.3	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10300::::::
zohocorp	manageengine_password_manager_pro	10.3	cpe:2.3:a:zohocorp:manageengine_password_manager_pro:10.3:build10301::::::

Rows per page:

1-10 of 151

References

www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.3

Confidence

High

EPSS

0.004

Percentile

73.5%

JSON

Related for CVE-2020-9347