Vulnerability Management

Passwordstate enterprise password manager impacted by several bugs

Seven security vulnerabilities have been discovered in Click Studios' Passwordstate enterprise password manager that could be exploited to compromise user passwords, according to SecurityWeek. Click Studios has already remediated the flaws, identified by Modzero researchers, in an update released early last month. Threat actors with Passwordstate usernames could exploit the critical API authentication bypass bug, tracked as CVE-2022-3875, to secure access to users' website credentials, password lists, and one-time passwords. With individuals' usernames, attackers could create a dedicated API token before scanning all password lists and compromising the victim's account with a new cross-site scripting payload, said researchers. Other vulnerabilities identified by Modzero were given a low- or medium-severity rating. Passwordstate, which has been used by over 29,000 customers, has been an attractive target for threat actors, with the enterprise password manager being targeted in a supply chain attack in April 2021 that prompted the firm to urge password resets for all users.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.