-----------------------------------------------------------------------------
Zoho ManageEngine Password Manager Pro 10.4 Cross Site Request Forgery (CSRF)
-----------------------------------------------------------------------------


[-] Software Link:

https://www.manageengine.com/products/passwordmanagerpro/


[-] Affected Versions:

Version 10.4 and older (build <10403).


[-] Vulnerabilities Description:

Zoho ManageEngine Password Manager Pro 10.4 has no protection against Cross-site Request Forgery (CSRF) attacks.

CSRF attacks exploit the trust established within a browser between a logged-in user and the web application in order to perform actions on behalf of the unwitting user visiting a malicious website.
An attacker can prepare such a website and lead users into visiting it, making their browsers submit GET or POST HTTP requests to vulnerable application endpoints using the users' already authorized application sessions.

For example, a logged-in user can change a particular user's role if he/she visits any web page that has a reference to the URL address for updating a user's role.
The only requirement is that the user (the victim) has a valid session with the tested Password Manager Pro web page and sufficient permissions to change the role.


[-] Solution:

Download the new version from official website - version 10403 or newer.


[-] Disclosure Timeline:

[11/01/2020] - Vendor notified
[11/01/2020] - Vendor acknowledgement
[30/01/2020] - Vendor contacted again asking for updates
[03/02/2020] - Vendor replied, fixed the CSRF vulnerability, waiting for release of the patch
[22/02/2020] - CVE number assigned
[09/03/2020] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2020-9346 to this vulnerability.


[-] Credits:

Vulnerability discovered by Luka Sikic, INFIGO IS.


[-] Original Advisory:

https://www.infigo.hr/en/csrf-vulnerability-in-password-manager-pro-n67