Multiple high-severity vulnerabilities have been disclosed in Passwordstate password administration answer that might be exploited by an unauthenticated distant adversary to acquire a person’s plaintext passwords.
“Successful exploitation permits an unauthenticated attacker to exfiltrate passwords from an occasion, overwrite all saved passwords throughout the database, or elevate their privileges throughout the software,” Swiss cybersecurity agency modzero AG stated in a report printed this week.
“Some of the person vulnerabilities could be chained to realize a shell on the Passwordstate host system and dump all saved passwords in cleartext, beginning with nothing greater than a sound username.”
Passwordstate, developed by an Australian firm named Click Studios, has over 29,000 clients and is utilized by greater than 370,000 IT professionals.
One of the issues additionally impacts Passwordstate model 9.5.8.4 for the Chrome internet browser. The newest model of the browser add-on is 9.6.1.2, which was launched on September 7, 2022.
The listing of vulnerabilities recognized by modzero AG is under –
- CVE-2022-3875 (CVSS rating: 9.1) – An authentication bypass for Passwordstate’s API
- CVE-2022-3876 (CVSS rating: 6.5) – A bypass of entry controls by means of user-controlled keys
- CVE-2022-3877 (CVSS rating: 5.7) – A saved cross-site scripting (XSS) vulnerability within the URL discipline of each password entry
- No CVE (CVSS rating: 6.0) – An inadequate mechanism for securing passwords by utilizing server-side symmetric encryption
- No CVE (CVSS rating: 5.3) – Use of hard-coded credentials to listing audited occasions equivalent to password requests and person account adjustments by means of the API
- No CVE (CVSS rating: 4.3) – Use of insufficiently protected credentials for Password Lists
Exploiting the vulnerabilities might allow an attacker with information of a sound username to extract saved passwords in cleartext, overwrite the passwords within the database, and even elevate privileges to realize distant code execution.
What’s extra, an improper authorization move (CVSS rating: 3.7) recognized within the Chrome browser extension might be weaponized to ship all passwords to an actor-controlled area.
In an assault chain demonstrated by modzero AG, a risk actor might forge an API token for an administrator account and exploit the XSS flaw so as to add a malicious password entry to acquire a reverse shell and seize the passwords hosted within the occasion.
Users are really helpful to replace to Passwordstate 9.6 – Build 9653 launched on November 7, 2022, or later variations to mitigate the potential threats.
Passwordstate, in April 2021, fell sufferer to a provide chain assault that allowed the attackers to leverage the service’s replace mechanism to drop a backdoor on buyer’s machines.