Vulnerabilities
Misconfiguration
Runtime Security
Compliance
CVE Vulnerabilities

CVE-2020-9347

Improper Neutralization of Formula Elements in a CSV File

Published: Mar 16, 2020 | Modified: Apr 11, 2024
CVSS 3.x
9.8
CRITICAL
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS 2.x
7.5 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P
RedHat/V2
RedHat/V3
Ubuntu
Additional information
NVDhttps://nvd.nist.gov/vuln/detail/CVE-2020-9347
CWEhttps://cwe.mitre.org/data/definitions/1236.html

Zoho ManageEngine Password Manager Pro through 10.x has a CSV Excel Macro Injection vulnerability via a crafted name that is mishandled by the Export Passwords feature. NOTE: the vendor disputes the significance of this report because they expect CSV risk mitigation to be provided by an external application, and do not plan to add CSV constraints to their own products

Weakness

The product saves user-provided information into a Comma-Separated Value (CSV) file, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as a command when the file is opened by a spreadsheet product.

Affected Software

Name Vendor Start Version End Version
Manageengine_password_manager_pro Zohocorp 10.0 (including) 10.0 (including)
Manageengine_password_manager_pro Zohocorp 10.0-build10001 (including) 10.0-build10001 (including)
Manageengine_password_manager_pro Zohocorp 10.1-build10100 (including) 10.1-build10100 (including)
Manageengine_password_manager_pro Zohocorp 10.1-build10101 (including) 10.1-build10101 (including)
Manageengine_password_manager_pro Zohocorp 10.1-build10102 (including) 10.1-build10102 (including)
Manageengine_password_manager_pro Zohocorp 10.1-build10103 (including) 10.1-build10103 (including)
Manageengine_password_manager_pro Zohocorp 10.1-build10104 (including) 10.1-build10104 (including)
Manageengine_password_manager_pro Zohocorp 10.2-build10200 (including) 10.2-build10200 (including)
Manageengine_password_manager_pro Zohocorp 10.3-build10300 (including) 10.3-build10300 (including)
Manageengine_password_manager_pro Zohocorp 10.3-build10301 (including) 10.3-build10301 (including)
Manageengine_password_manager_pro Zohocorp 10.3-build10302 (including) 10.3-build10302 (including)
Manageengine_password_manager_pro Zohocorp 10.4 (including) 10.4 (including)
Manageengine_password_manager_pro Zohocorp 10.4-build10400 (including) 10.4-build10400 (including)
Manageengine_password_manager_pro Zohocorp 10.4-build10401 (including) 10.4-build10401 (including)
Manageengine_password_manager_pro Zohocorp 10.4-build10402 (including) 10.4-build10402 (including)

Potential Mitigations

References

Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use