Essential Safety Flaw Reported in Passwordstate Enterprise Password Supervisor

Deal Score0
Deal Score0

Dec 22, 2022Ravie LakshmananPassword Administration / On-line Safety

A number of high-severity vulnerabilities have been disclosed in Passwordstate password administration resolution that may very well be exploited by an unauthenticated distant adversary to acquire a person’s plaintext passwords.

“Profitable exploitation permits an unauthenticated attacker to exfiltrate passwords from an occasion, overwrite all saved passwords inside the database, or elevate their privileges inside the utility,” Swiss cybersecurity agency modzero AG said in a report revealed this week.

“A number of the particular person vulnerabilities could be chained to realize a shell on the Passwordstate host system and dump all saved passwords in cleartext, beginning with nothing greater than a legitimate username.”

Passwordstate, developed by an Australian firm named Click on Studios, has over 29,000 customers and is utilized by greater than 370,000 IT professionals.

One of many flaws additionally impacts Passwordstate version for the Chrome net browser. The newest model of the browser add-on is, which was launched on September 7, 2022.


The listing of vulnerabilities recognized by modzero AG is beneath –

  • CVE-2022-3875 (CVSS rating: 9.1) – An authentication bypass for Passwordstate’s API
  • CVE-2022-3876 (CVSS rating: 6.5) – A bypass of entry controls by way of user-controlled keys
  • CVE-2022-3877 (CVSS rating: 5.7) – A saved cross-site scripting (XSS) vulnerability within the URL area of each password entry
  • No CVE (CVSS rating: 6.0) – An inadequate mechanism for securing passwords through the use of server-side symmetric encryption
  • No CVE (CVSS rating: 5.3) – Use of hard-coded credentials to listing audited occasions similar to password requests and person account modifications by way of the API
  • No CVE (CVSS rating: 4.3) – Use of insufficiently protected credentials for Password Lists

Exploiting the vulnerabilities might allow an attacker with data of a legitimate username to extract saved passwords in cleartext, overwrite the passwords within the database, and even elevate privileges to realize distant code execution.

What’s extra, an improper authorization circulation (CVSS rating: 3.7) recognized within the Chrome browser extension may very well be weaponized to ship all passwords to an actor-controlled area.

In an assault chain demonstrated by modzero AG, a risk actor might forge an API token for an administrator account and exploit the XSS flaw so as to add a malicious password entry to acquire a reverse shell and seize the passwords hosted within the occasion.

Customers are advisable to replace to Passwordstate 9.6 – Build 9653 launched on November 7, 2022, or later variations to mitigate the potential threats.

Passwordstate, in April 2021, fell sufferer to a supply chain attack that allowed the attackers to leverage the service’s replace mechanism to drop a backdoor on buyer’s machines.

Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we submit.

We will be happy to hear your thoughts

Leave a reply
Enable registration in settings - general