Critical Security Flaw in Passwordstate Password Manager

Multiple high-severity vulnerabilities have been disclosed in password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords.

“Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within the application,” Swiss cybersecurity firm modzero AG said in a report published this week.

“Some of the individual vulnerabilities can be chained to gain a shell on the Passwordstate host system and dump all stored passwords in cleartext, starting with nothing more than a valid username.”

Passwordstate, developed by an Australian company named Click Studios, has over 29,000 customers and is used by more than 370,000 IT professionals.

One of the flaws also impacts Passwordstate version for the Chrome web browser. The latest version of the browser add-on is, which was released on September 7, 2022.

The list of vulnerabilities identified by modzero AG is below.

  • CVE-2022-3875 (CVSS score: 9.1) IndustryPasswordstate's API
  • CVE-2022-3876 (CVSS score: 6.5) Industryuser-controlled keys
  • CVE-2022-3877 (CVSS score: 5.7) Industrycross-site scripting (XSS) vulnerability in the URL field of every password entry
  • No CVE (CVSS score: 6.0) Industryserver-side symmetric encryption
  • No CVE (CVSS score: 5.3) Industryhard-coded credentials to list audited events such as password requests and user account changes through the API
  • No CVE (CVSS score: 4.3) IndustryLists

Exploiting the vulnerabilities could permit an attacker with knowledge of a valid username to extract saved passwords in cleartext, overwrite the passwords in the database, and even elevate privileges to achieve remote code execution.

What's more, an improper authorization flow (CVSS score: 3.7) identified in the Chrome browser extension could be weaponized to send all passwords to an actor-controlled domain.

In an attack chain demonstrated by modzero AG, a threat actor could forge an API token for an administrator account and exploit the XSS to add a malicious password entry to obtain a reverse shell and grab the passwords hosted in the instance.

Users are recommended to update to Passwordstate 9.6 Industry7, 2022, or later versions to mitigate the potential threats.

Passwordstate, in April 2021, fell victim to a supply chain attack that allowed the attackers to leverage the service's update mechanism to drop a backdoor on customer's machines.

You might also like

Comments are closed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. AcceptRead More