Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user’s plaintext passwords.
“Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application,” Swiss cybersecurity firm modzero AG said in a report published this week.
“Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username.”
Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.
One of the flaws also impacts Passwordstate version 18.104.22.168 for the Chrome web browser. The latest version of the browser add-on is 22.214.171.124, which was released on September 7, 2022.
images from Hacker News