CVE-2016-1161

Abstract Advisory Information

Security issue affecting the product Password Manager Pro (PMP) from the company ZOHO (https://www.manageengine.com/products/passwordmanagerpro). The personal area of the product, in which a user store his personal password entries for differents account type, is exposed to CSRF attacks. Using this attack, it’s possible to create or delete an arbitrary account. According to the vendor, before the version 8.5 (build 8500), protection against CSRF attacks was not implemented at all in the product. We have found usable exploitation of CSRF vulnerabilites only in the personal area. Vendor release notes: https://www.manageengine.com/products/passwordmanagerpro/release-notes.htmlhttps://www.manageengine.com/products/passwordmanagerpro/issues-fixed.html JVN ID: JVNVU#95113461 http://jvn.jp/vu/JVNVU95113461/index.html CVE ID: CVE-2016-1161

Author: Dominique Righetto

Version affected

Versions inferior to 8.5 (Build 8500).

Common Vulnerability Scoring System

6.5

Patches

The vulnerability is fixed from the version 8.5 (Build 8500) and, according to the vendor, protection against CSRF attacks was implemented in all application areas from Build 8500.

Vulnerability Disclosure Timeline

• 2016-03-16: Security note sent to ZOHO contact about the vulnerability.
• 2016-03-17: Acknowledge from ZOHO about reception of our note and start working on a fix.
• 2016-03-18: Ask for JVN ID and CVE ID to JPCERT/CC.
• 2016-03-19: CVE ID and JVN ID received.
• 2016-06-21: PMP 8.5 released.
• 2016-06-29: Fixation reference update on vendor page.
• 2016-07-01: Publishing of the Security Advisory.