CSRF vulnerability in Password Manager Pro


During one of our many penetration tests, which Infigo IS does on a daily basis, our security expert found a vulnerability in the web application Password Manager Pro

Infigo's intrepid pen tester, Luka Sikic, during one of our penetration tests stumbled upon a vulnerability in Zoho's web app Password Manager Pro. The application in question didn't have protection against the so called CSRF attack.
Cross-site Request Forgery attacks exploit the trust established within a browser between a logged-in user and the web application in order to perform actions on behalf of the unwitting user visiting a malicious website. An attacker can prepare such a website and lead users into visiting it, making their browsers submit GET or POST HTTP requests to vulnerable application endpoints using the users' already authorized application sessions.
For example, a logged-in user can change a particular user's role if he/she visits any web page that has a reference to the URL address for updating a user's role.
The only requirement is that the user (the victim) has a valid session with the tested Password Manager Pro web page and sufficient permissions to change the role.

The developer of Password Manager Pro was notified and the vulnerability was patched. Anybody using the beforementioned app should download the latest version (currently version 10.4 (10403)). If you would like to read through the CVE, you can do that here.