CVE-2020-9347 : Vulnerability Insights and Analysis

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability that can be exploited via a crafted name mishandled by the Export Passwords feature. The vendor disputes the severity of this issue.

Understanding CVE-2020-9347

This CVE involves a vulnerability in Zoho ManageEngine Password Manager Pro that allows CSV Excel Macro Injection.

What is CVE-2020-9347?

This CVE refers to a security flaw in Zoho ManageEngine Password Manager Pro versions up to 10.x, where a specially crafted name can lead to CSV Excel Macro Injection.

The Impact of CVE-2020-9347

The vulnerability could potentially allow an attacker to execute malicious Excel macros through the Export Passwords feature, compromising the security of the system.

Technical Details of CVE-2020-9347

Zoho ManageEngine Password Manager Pro vulnerability details.

Vulnerability Description

The vulnerability arises from mishandling crafted names during the Export Passwords feature, enabling CSV Excel Macro Injection.

Affected Systems and Versions

Product: Zoho ManageEngine Password Manager Pro
Versions: Up to 10.x

Exploitation Mechanism

The vulnerability can be exploited by manipulating a crafted name within the Export Passwords feature to inject malicious Excel macros.

Mitigation and Prevention

Protecting systems from CVE-2020-9347.

Immediate Steps to Take

Disable or restrict the use of the Export Passwords feature if not essential.
Regularly monitor and review password exports for any suspicious activity.

Long-Term Security Practices

Educate users on safe password management practices.
Implement security awareness training to recognize phishing attempts.

Patching and Updates

Stay informed about vendor updates and patches related to this vulnerability.
Apply security patches promptly to mitigate the risk of exploitation.