--------------------------------------------------------------------- Zoho ManageEngine Password Manager Pro 10.x CSV Excel Macro Injection --------------------------------------------------------------------- [-] Software Link: https://www.manageengine.com/products/passwordmanagerpro/ [-] Affected Versions: Version 10.x. [-] Vulnerabilities Description: If a resource is created with a name that contains a malicious payload (formula), after being exported it will cause particular spreadsheet editors, such as Microsoft Excel 2016 to execute the payload. Depending on the spreadsheet editor used, different attack methods are possible. In LibreOffice, for example, it is possible to perform local files data exfiltration. [-] Solution: The vendor replied that the vulnerability will not be fixed: "This issue should be mitigated by the application which would be importing/interpreting data from an external source, as Microsoft Excel does (for example) by showing a warning. In other words, the proper fix should be applied when opening the CSV files, rather than when creating them. So, we don't see this as a security issue at our side." [-] Disclosure Timeline: [11/01/2020] - Vendor notified [11/01/2020] - Vendor acknowledgement [30/01/2020] - Vendor contacted again asking for updates [03/02/2020] - Vendor replied, stated that it is a side effect of the CSV format and not a vulnerability in their product [22/02/2020] - CVE number assigned [09/03/2020] - Public disclosure [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2020-9347 to this vulnerability. [-] Credits: Vulnerability discovered by Luka Sikic, INFIGO IS. [-] Original Advisory: https://www.infigo.hr/en/csv-excel-macro-injection-in-password-manager-pro-n68