Issues FixedPassword Manager » Issues Fixed

ManageEngine Password Manager Pro

List of vulnerabilities reported and fixed:

SI.No Vulnerability Description Date of Reporting Patch Release (version)
and Public Disclosure
Associated CVE IDs
1 Due to an inadequate CSRF protection to the URL, there was a risk of attackers changing user roles in Password Manager Pro. January 11, 2020 March 2020, v10403 CVE-2020-9346
(Reported by: Luka Sikic of INFIGO)
2 SparkGateway, which comes bundled with Password Manager Pro to enable RDP connections to target systems, has been upgraded from v5.0 to v5.6 to support CredSSP protocol v6. This latest version released by Microsoft contains security updates to address a remote code execution vulnerability that existed in the protocol. April 27, 2018 May 2018, v9601 CVE-2018-0886
3 Cross-Site Request Forgery vulnerability. This vulnerability could be exploited by Password Manager Pro users while remaining authenticated, provided the user has knowledge about PMP's URL construction pattern and various parameters to craft forged requests. This could be exploited only by forging the URL and not through inputs in the GUI. June 2015 June 2016, v8500 JVNVU#95113461
(Reported by: CSIRT, Excellium Services)
4 While viewing old passwords from password history, it was possible for a password user to retrieve password history of unshared passwords by manipulating the request URL. February 23, 2016 April 2016, v8403 CVE-2016-1159
(Reported by: CSIRT, Excellium Services)
5 A SQL injection vulnerability identified in advanced search module of PMP has been fixed. June 2015 July 2015, v8101 CVE-2015-5459
6 An XML external entity injection identified in XMLRPC API has been fixed May 2014 May 2015, v8000 -
7 A SQL injection identified in PMP web application has been fixed. October 27, 2014 November 2014, v7105 CVE-2014-8499
6 A clickjacking vulnerability identified in PMP web application has been fixed. October 27, 2014 November 2014, v7105 -
8 A filename Denial of Service vulnerability identified in PMP has been fixed. February 2014 September 2014, v7103 CVE-2014-9372
9 Fixed a backdoor issue through which SQL injection was possible in PMP. June 2014 June 2014, v7003 CVE-2014-3997, CVE-2014-3996
10 Possibility for an XSS vulnerability (which can be triggered during authentication), was identified in PMP v7001. This has been fixed. March 20, 2014 April 2014, v7002 -
11 PMP v7001 was identified to be having directory traversal vulnerability. This has been fixed by updating the RDP gateway. March 20, 2014 April 2014, v7002 -

Password Manager Pro - Enterprise Password Management Software trusted by

Technical Support Request Demo