Ghostpepper

**Name of the Vulnerable Software and Affected Versions** Bitwarden versions through 2023.2.1 **Description** The issue allows password auto-fill when the second-level domain matches. For example, a password stored for an example.com hosting provider will be auto-filled when visiting customer-website.example.com. It is noted that the vendor's position is that "Auto-fill on page load" is not enabled by default. **Recommendations** For versions through 2023.2.1, consider disabling the "Auto-fill on page load" feature to minimize the risk of exploitation.