Abstract Advisory Information
Security issue affecting the product Password Manager Pro (PMP) from the company ZOHO (https://www.manageengine.com/products/passwordmanagerpro). A PMP user with the access level “Password User” (most restricted access level) that has access to no resource at all is able to retrieve resources entry password history using vulnerable hidden service. Vendor release notes: https://www.manageengine.com/products/passwordmanagerpro/release-notes.htmlhttps://www.manageengine.com/products/passwordmanagerpro/issues-fixed.html JVN ID: JVNVU#90405898 (http://jvn.jp/vu/JVNVU90405898/index.html) CVE ID: CVE-2016-1159
Authors: Dominique Righetto
8.3.0 (Build 8303) and version 8.4.0 (Build 8400,8401,8402).
Common Vulnerability Scoring System
The vulnerability is fixed from the version 8.4.0 (Build 8403) and a patch is available for the build 8402.
Vulnerability Disclosure Timeline
- 2016-02-23: Security note sent to ZOHO contact about the vulnerability.
- 2016-02-24: Acknowledge from ZOHO about reception of our note and start working on a fix.
- 2016-03-12: Ask for JVN ID and CVE ID to JPCERT/CC.
- 2016-03-18: JVN ID obtained.
- 2016-03-24: CVE ID obtained.
- 2016-03-24: Publishing of the Security Advisory.