| SI.No | Vulnerability Description | Date of Reporting | Patch Release (version) and Public Disclosure |
Associated CVE IDs |
|---|---|---|---|---|
| 1 | Due to an inadequate CSRF protection to the URL, there was a risk of attackers changing user roles in Password Manager Pro. | January 11, 2020 | March 2020, v10403 | CVE-2020-9346 (Reported by: Luka Sikic of INFIGO) |
| 2 | SparkGateway, which comes bundled with Password Manager Pro to enable RDP connections to target systems, has been upgraded from v5.0 to v5.6 to support CredSSP protocol v6. This latest version released by Microsoft contains security updates to address a remote code execution vulnerability that existed in the protocol. | April 27, 2018 | May 2018, v9601 | CVE-2018-0886 |
| 3 | Cross-Site Request Forgery vulnerability. This vulnerability could be exploited by Password Manager Pro users while remaining authenticated, provided the user has knowledge about PMP's URL construction pattern and various parameters to craft forged requests. This could be exploited only by forging the URL and not through inputs in the GUI. | June 2015 | June 2016, v8500 | JVNVU#95113461 CVE-2016-1161 (Reported by: CSIRT, Excellium Services) |
| 4 | While viewing old passwords from password history, it was possible for a password user to retrieve password history of unshared passwords by manipulating the request URL. | February 23, 2016 | April 2016, v8403 | CVE-2016-1159 (Reported by: CSIRT, Excellium Services) |
| 5 | A SQL injection vulnerability identified in advanced search module of PMP has been fixed. | June 2015 | July 2015, v8101 | CVE-2015-5459 |
| 6 | An XML external entity injection identified in XMLRPC API has been fixed | May 2014 | May 2015, v8000 | - |
| 7 | A SQL injection identified in PMP web application has been fixed. | October 27, 2014 | November 2014, v7105 | CVE-2014-8499 |
| 6 | A clickjacking vulnerability identified in PMP web application has been fixed. | October 27, 2014 | November 2014, v7105 | - |
| 8 | A filename Denial of Service vulnerability identified in PMP has been fixed. | February 2014 | September 2014, v7103 | CVE-2014-9372 |
| 9 | Fixed a backdoor issue through which SQL injection was possible in PMP. | June 2014 | June 2014, v7003 | CVE-2014-3997, CVE-2014-3996 |
| 10 | Possibility for an XSS vulnerability (which can be triggered during authentication), was identified in PMP v7001. This has been fixed. | March 20, 2014 | April 2014, v7002 | - |
| 11 | PMP v7001 was identified to be having directory traversal vulnerability. This has been fixed by updating the RDP gateway. | March 20, 2014 | April 2014, v7002 | - |
SSL & SSH Key Management