CVE-2020-9347
CRITICALZoho ManageEngine Password Manager Pro <10.x - Code Injection
Title source: llmDescription
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products
References (1)
Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt
Scores
CVSS v3
9.8
EPSS
0.0779
EPSS Percentile
93.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-1236
Status
published
Products (5)
zohocorp/manageengine_password_manager_pro
10.0 (2 CPE variants)
zohocorp/manageengine_password_manager_pro
10.1 build10100 (5 CPE variants)
zohocorp/manageengine_password_manager_pro
10.2 build10200
zohocorp/manageengine_password_manager_pro
10.3 build10300 (3 CPE variants)
zohocorp/manageengine_password_manager_pro
10.4 (4 CPE variants)
Published
Mar 16, 2020
Tracked Since
Feb 18, 2026