CVE-2020-9347

Name of the Vulnerable Software and Affected Versions Zoho ManageEngine Password Manager Pro versions prior to 11.x

Description The issue is related to a CSV Excel Macro Injection vulnerability. It occurs when a crafted name is mishandled by the Export Passwords feature. The vendor has expressed a dispute over the significance of this report, citing their expectation that CSV risk mitigation should be handled by an external application.

Recommendations For Zoho ManageEngine Password Manager Pro versions prior to 11.x, consider disabling the Export Passwords feature until a patch is available. Restrict access to the feature to minimize the risk of exploitation. Avoid using crafted names that could be mishandled by the feature. At the moment, there is no information about a newer version that contains a fix for this vulnerability.