PT-2020-20601 · Zoho · Manageengine Password Manager Pro
Luka Sikic
·
Published
2020-03-16
·
Updated
2022-10-07
·
CVE-2020-9346
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Zoho ManageEngine Password Manager Pro versions 10.4 and prior
Description
The issue concerns a lack of protection against Cross-site Request Forgery (CSRF) attacks. This can be demonstrated by an attacker changing a user's role.
Recommendations
For Zoho ManageEngine Password Manager Pro versions 10.4 and prior, consider implementing additional security measures to protect against CSRF attacks, such as validating request tokens, until a patch is available.
As a temporary workaround, restrict access to sensitive user management functions to minimize the risk of exploitation.
Fix
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Manageengine Password Manager Pro