• Menu
  • Skip to main content
  • Skip to primary sidebar

The Cyber Security News

Latest Cyber Security News

Header Right

  • Latest News
  • Vulnerabilities
  • Cloud Services
critical security flaw reported in passwordstate enterprise password manager

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

You are here: Home / General Cyber Security News / Critical Security Flaw Reported in Passwordstate Enterprise Password Manager
December 22, 2022

Multiple large-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated distant adversary to get hold of a user’s plaintext passwords.

“Prosperous exploitation lets an unauthenticated attacker to exfiltrate passwords from an occasion, overwrite all saved passwords inside the database, or elevate their privileges inside the application,” Swiss cybersecurity firm modzero AG claimed in a report published this 7 days.

“Some of the particular person vulnerabilities can be chained to obtain a shell on the Passwordstate host method and dump all stored passwords in cleartext, commencing with nothing at all a lot more than a legitimate username.”

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


Passwordstate, developed by an Australian company named Click on Studios, has over 29,000 shoppers and is made use of by far more than 370,000 IT specialists.

Just one of the flaws also impacts Passwordstate model 9.5.8.4 for the Chrome web browser. The newest model of the browser add-on is 9.6.1.2, which was introduced on September 7, 2022.

CyberSecurity

The list of vulnerabilities determined by modzero AG is beneath –

  • CVE-2022-3875 (CVSS score: 9.1) – An authentication bypass for Passwordstate’s API
  • CVE-2022-3876 (CVSS rating: 6.5) – A bypass of obtain controls as a result of person-managed keys
  • CVE-2022-3877 (CVSS rating: 5.7) – A stored cross-site scripting (XSS) vulnerability in the URL field of every single password entry
  • No CVE (CVSS score: 6.) – An insufficient mechanism for securing passwords by employing server-facet symmetric encryption
  • No CVE (CVSS score: 5.3) – Use of difficult-coded qualifications to listing audited gatherings these kinds of as password requests and user account variations by the API
  • No CVE (CVSS rating: 4.3) – Use of insufficiently shielded qualifications for Password Lists

Exploiting the vulnerabilities could permit an attacker with know-how of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to accomplish remote code execution.

What is much more, an incorrect authorization move (CVSS score: 3.7) discovered in the Chrome browser extension could be weaponized to deliver all passwords to an actor-controlled domain.

In an attack chain shown by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS flaw to include a destructive password entry to get hold of a reverse shell and get the passwords hosted in the occasion.

End users are proposed to update to Passwordstate 9.6 – Construct 9653 introduced on November 7, 2022, or later variations to mitigate the potential threats.

Passwordstate, in April 2021, fell sufferer to a supply chain attack that authorized the attackers to leverage the service’s update mechanism to fall a backdoor on customer’s devices.

Located this post exciting? Follow us on Twitter  and LinkedIn to read a lot more distinctive content we put up.


Some components of this posting are sourced from:
thehackernews.com

Previous Post: «Cyber Security News FCC Proposes Massive $300m Fine for Robocall Firm
Next Post: The Era of Cyber Threat Intelligence Sharing the era of cyber threat intelligence sharing»

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Report This Article

Recent Posts

  • WhatsApp Unveils Proxy Support to Tackle Internet Censorship
  • Hackers Using CAPTCHA Bypass Tactics in Freejacking Campaign on GitHub
  • Blind Eagle Hacking Group Targets South America With New Tools
  • US Family Planning Non-Profit MFHS Confirms Ransomware Attack
  • Microsoft Reveals Tactics Used by 4 Ransomware Families Targeting macOS
  • Dridex Malware Now Attacking macOS Systems with Novel Infection Method
  • Cyber attacks on UK organisations surged 77% in 2022, new research finds
  • WhatsApp to combat internet blackouts with proxy server support
  • The IT Pro Podcast: Going passwordless
  • Podcast transcript: Going passwordless

Copyright © TheCyberSecurity.News, All Rights Reserved.