Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-43295: Security - Click Studios

Cross Site Request Forgery vulnerability in Click Studios (SA) Pty Ltd Passwordstate v.Build 9785 and before allows a local attacker to execute arbitrary code via a crafted request.

CVE
#xss#csrf#vulnerability#web#ios#auth

Incident Management Advisories

Major Incidents

Click Studios has an established Incident Management Plan that is used in the event of major incidents affecting Passwordstate’s operation.

As part of the Incident Management Process, Click Studios will email all customers advising to check this advisories page for updates. Advisories detail the best known information available, at a point in time, and are the only authorized updates for existing and potential customers, media and interested parties. By publishing these advisories, representing the single source of truth, Technical Support Team members, developers and Pre-Sales staff can focus solely on assisting customers with the major incident.

Please be aware that emails to Sales or Support, requesting additional information, will be replied to with a standard response directing the requestor to this Advisories page. Please understand, if Click Studios invokes the Incident Management Plan, our number one priority is working with our customers to identify if they have been affected and advising them of required remedial actions.

We recommend any interested party periodically check this advisories page for the latest updates.

Advisories:

There are no current major incidents at this time.

Common Vulnerabilities and Exposures:

The table below provides a list of Click Studios confirmed information-security vulnerabilities and exposures for Passwordstate or associated modules. Interested parties can subscribe to this list to be notified when new CVEs are added.

Date

  • 2023-09-25
  • 2023-08-31
  • 2022-11-07
  • 2022-09-05
  • 2022-09-05
  • 2020-10-29
  • 2020-10-05
  • 2018-08-01

CVE(s)

  • CVE Pending
  • CVE-2023-43295
  • CVE-2022-3877
  • CVE-2022-3875
  • CVE-2022-3876
  • CVE-2020-27747
  • CVE-2020-26061
  • CVE-2018-14776

Severity

  • Low
  • Low
  • Medium
  • High
  • Medium
  • Low
  • High
  • Low

Product

  • Passwordstate API
  • Passwordstate Core
  • Passwordstate Core
  • Passwordstate API
  • Passwordstate API
  • Mobile Web Site (Deprecated)
  • Password Reset Portal
  • Passwordstate Core

Description

  • Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
  • Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
  • Cross site scripting vulnerability for URL field
  • Authentication bypass by assumed-immutable data
  • Manipulation of the argument PasswordID leads to authorization bypass
  • Lack of brute force attack detection on PIN code authentication
  • A well crafted HTTP request allowed setting a password for a registered user
  • XSS by authenticated users via an uploaded HTML document

Fixed

  • Build 9811
  • Build 9795
  • Build 9653
  • Build 9611
  • Build 9611
  • Build 8987
  • Build 8501
  • Build 8397

**Subscribe to our Annoucements/Advisories RSS Feed

Subscribe to our RSS Feed for the latest announcements and security advisories.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.

**

Related news

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords. "Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords. "Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

Critical Security Flaw Reported in Passwordstate Enterprise Password Manager

Multiple high-severity vulnerabilities have been disclosed in Passwordstate password management solution that could be exploited by an unauthenticated remote adversary to obtain a user's plaintext passwords. "Successful exploitation allows an unauthenticated attacker to exfiltrate passwords from an instance, overwrite all stored passwords within the database, or elevate their privileges within

CVE-2022-3877

A vulnerability, which was classified as problematic, was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. Affected is an unknown function of the component URL Field Handler. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. VDB-216246 is the identifier assigned to this vulnerability.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907