CVE-2021-31857
https://notcve.org/view.php?id=CVE-2021-31857
In Zoho ManageEngine Password Manager Pro before 11.1 build 11104, attackers are able to retrieve credentials via a browser extension for non-website resource types. En Zoho ManageEngine Password Manager Pro versiones anteriores a 11.1 build 11104, unos atacantes son capaces de recuperar credenciales por medio de una extensión del navegador para tipos de recursos que no son del sitio web • https://www.manageengine.com https://www.manageengine.com/products/passwordmanagerpro/release-notes.html#pmp11104 •
CVE-2020-9347
https://notcve.org/view.php?id=CVE-2020-9347
Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products ** EN DISPUTA ** Zoho ManageEngine Password Manager Pro hasta la versión de 10.x tiene una vulnerabilidad de inyección de macro en Excel CSV a través de un nombre especialmente diseñado que es mal manejado por la función Exportar contraseñas. NOTA: el proveedor cuestiona la importancia de este informe porque espera que una aplicación externa proporcione la mitigación del riesgo de CSV y no planea agregar restricciones de CSV a sus propios productos. • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.x_CSV_Excel_Macro_Injection.txt • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVE-2020-9346
https://notcve.org/view.php?id=CVE-2020-9346
Zoho ManageEngine Password Manager Pro 10.4 and prior has no protection against Cross-site Request Forgery (CSRF) attacks, as demonstrated by changing a user's role. Zoho ManageEngine Password Manager Pro versiones 10.4 y anteriores, no poseen protección contra ataques de tipo Cross-site Request Forgery (CSRF), como es demostrado al cambiar el rol del usuario. • https://www.infigo.hr/upload/web_struktura/Zoho_ManageEngine_Password_Manager_Pro_10.4_CSRF.txt https://www.manageengine.com/products/passwordmanagerpro/issues-fixed.html • CWE-352: Cross-Site Request Forgery (CSRF) •
CVE-2016-1159
https://notcve.org/view.php?id=CVE-2016-1159
In ZOHO Password Manager Pro (PMP) 8.3.0 (Build 8303) and 8.4.0 (Build 8400,8401,8402), underprivileged users can obtain sensitive information (entry password history) via a vulnerable hidden service. En ZOHO Password Manager Pro (PMP) versiones 8.3.0 (Build 8303) y 8.4.0 (Build 8400,8401,8402), unos usuarios no privilegiados pueden obtener información confidencial (historial de contraseñas de entrada) por medio de un servicio oculto vulnerable. • http://jvn.jp/vu/JVNVU90405898/index.html https://excellium-services.com/cert-xlm-advisory/cve-2016-1159 https://www.manageengine.com/products/passwordmanagerpro/issues-fixed.html https://www.manageengine.com/products/passwordmanagerpro/release-notes.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2019-12133
https://notcve.org/view.php?id=CVE-2019-12133
Multiple Zoho ManageEngine products suffer from local privilege escalation due to improper permissions for the %SYSTEMDRIVE%\ManageEngine directory and its sub-folders. Moreover, the services associated with said products try to execute binaries such as sc.exe from the current directory upon system start. This will effectively allow non-privileged users to escalate privileges to NT AUTHORITY\SYSTEM. This affects Desktop Central 10.0.380, EventLog Analyzer 12.0.2, ServiceDesk Plus 10.0.0, SupportCenter Plus 8.1, O365 Manager Plus 4.0, Mobile Device Manager Plus 9.0.0, Patch Connect Plus 9.0.0, Vulnerability Manager Plus 9.0.0, Patch Manager Plus 9.0.0, OpManager 12.3, NetFlow Analyzer 11.0, OpUtils 11.0, Network Configuration Manager 11.0, FireWall 12.0, Key Manager Plus 5.6, Password Manager Pro 9.9, Analytics Plus 1.0, and Browser Security Plus. Varios productos Zoho ManageEngine sufren una escalada de privilegios locales debido a permisos inapropiados para el directorio %SYSTEMDRIVE%\ManageEngine y sus subcarpetas. • https://github.com/active-labs/Advisories/blob/master/2019/ACTIVE-2019-007.md https://www.manageengine.com/products/desktop-central/elevation-of-privilege-vulnerability.html • CWE-427: Uncontrolled Search Path Element CWE-732: Incorrect Permission Assignment for Critical Resource •