Researchers discovered that the Passwordstate enterprise password manager made by Australian company Click Studios is affected by serious vulnerabilities that could allow an unauthenticated attacker to obtain a user’s passwords.
The security holes, patched in early November with the release of version 9.6 build 9653, were reported to the developer in August by Swiss cybersecurity firm Modzero.
Modzero researchers discovered a total of seven types of vulnerabilities in Passwordstate, including issues related to authentication and authorization bypass, improper password protection, hardcoded credentials, and a stored cross-site scripting (XSS) flaw.
An API authentication bypass tracked as CVE-2022-3875 has been assigned a ‘critical’ severity rating. It can allow an unauthenticated attacker to bypass authentication for the Passwordstate API, enabling them to gain access to a user’s website passwords, one-time passwords (OTPs), password lists, and other secrets by knowing only their username.
The remaining security holes have been rated ‘medium’ or ‘low’, but they can still pose a significant risk when chained with other vulnerabilities.