[Japanese]

JVNDB-2016-002331

ManageEngine Password Manager Pro fails to restrict access permissions

Overview

ManageEngine Password Manager Pro provided by Zoho Corporation fails to restrict access permissions.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.5 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Low
  • Authentication: Single Instance
  • Confidentiality Impact: Complete
  • Integrity Impact: None
  • Availability Impact: None
Affected Products


Zoho Corporation
  • ManageEngine Password Manager Pro 8.3.0 (Build 8303)
  • ManageEngine Password Manager Pro 8.4.0 (Build 8400, 8401, 8402)

Impact

A user may gain unauthorized access to other users' password entry history.
Solution

[Update the Software]
This vulnerability has been addressed in Password Manager Pro 8.4.0 (Build 8403).
Update to the latest version according to the information provided by the developer.
Vendor Information

Zoho Corporation
CWE (What is CWE?)

  1. Information Exposure(CWE-200) [NVD Evaluation]
CVE (What is CVE?)

  1. CVE-2016-1159
References

  1. JVN : JVNVU#90405898
  2. National Vulnerability Database (NVD) : CVE-2016-1159
  3. Related Information : Excellium Services (CVE-2016-1159)
Revision History

  • [2016/12/05]
      Web page was published

Date Public2016/05/16
Date First Published2016/12/05
Date Last Updated2016/12/05