CVSS: 9.8EPSS: 24%CPEs: 15EXPL: 0CVE-2020-9347
https://notcve.org/view.php?id=CVE-2020-9347
16 Mar 2020 — Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products ** EN DISPUTA ** Zoho ManageEngine Password Manager Pro hasta la versión de 10.x tiene una vulnerabilidad de inyección de macro en Excel CSV ... • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 8.8EPSS: 0%CPEs: 5EXPL: 0CVE-2020-9346
https://notcve.org/view.php?id=CVE-2020-9346
16 Mar 2020 — Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. Zoho ManageEngine Password Manager Pro versiones 10.4 y anteriores, no poseen protección contra ataques de tipo Cross-site Request Forgery (CSRF), como es demostrado al cambiar el rol del usuario. • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.4_CSRF.txt • CWE-352: Cross-Site Request Forgery (CSRF) •