CVE-2020-9347

CRITICAL

Zoho ManageEngine Password Manager Pro <10.x - Code Injection

Title source: llm

Description

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products

References (1)

[Third Party Advisory] https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt

Scores

CVSS v3 9.8

EPSS 0.0250

EPSS Percentile 85.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-1236

Status published

Products (5)

zohocorp/manageengine_password_manager_pro 10.0 (2 CPE variants)

zohocorp/manageengine_password_manager_pro 10.1 build10100 (5 CPE variants)

zohocorp/manageengine_password_manager_pro 10.2 build10200

zohocorp/manageengine_password_manager_pro 10.3 build10300 (3 CPE variants)

zohocorp/manageengine_password_manager_pro 10.4 (4 CPE variants)

Published Mar 16, 2020

Tracked Since Feb 18, 2026