Jan Benninger

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate versions prior to 9.6 build 9653 Click Studios Passwordstate Browser Extension Chrome versions prior to 9.6 build 9653 **Description** A critical vulnerability was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome, affecting the component API. The manipulation leads to authentication bypass by assumed-immutable data, and the attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Researchers discovered seven types of vulnerabilities, including problems related to authentication and authorization bypass, incorrect password protection, hardcoded credentials, and XSS vulnerability. The vulnerability may allow an unauthenticated attacker to extract user passwords. Given the product's wide adoption, including by Fortune 500 companies, Passwordstate is a frequent target for hackers. **Recommendations** For Click Studios Passwordstate versions prior to 9.6 build 9653, upgrade to version 9.6 build 9653 or later to resolve the issue. For Click Studios Passwordstate Browser Extension Chrome versions prior to 9.6 build 9653, upgrade to version 9.6 build 9653 or later to resolve the issue. As a temporary workaround, consider restricting access to the API component until a patch is available. Avoid using the Passwordstate Browser Extension Chrome until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate (affected versions not specified) Click Studios Passwordstate Browser Extension Chrome (affected versions not specified) **Description** A problematic issue has been found in the API component, affecting the processing of the file /api/browserextension/UpdatePassword/. The manipulation of the `PasswordID` argument leads to authorization bypass. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** Upgrade the affected component to a newer version. As a temporary workaround, consider restricting access to the /api/browserextension/UpdatePassword/ API endpoint until a patch is available. Avoid using the `PasswordID` argument in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate (affected versions not specified) Click Studios Passwordstate Browser Extension Chrome (affected versions not specified) **Description** A problematic vulnerability was found in the component URL Field Handler of Click Studios Passwordstate and Passwordstate Browser Extension Chrome. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. **Recommendations** Upgrade the affected component to a newer version. As a temporary workaround, consider restricting access to the URL Field Handler component until a patch is available. Avoid using the vulnerable URL Field Handler component in Click Studios Passwordstate and Passwordstate Browser Extension Chrome until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate (affected versions not specified) Click Studios Passwordstate Browser Extension Chrome (affected versions not specified) **Description** A problematic vulnerability has been found, affecting some unknown functionality. The manipulation leads to the use of a risky cryptographic algorithm. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate (affected versions not specified) Click Studios Passwordstate Browser Extension Chrome (affected versions not specified) **Description** A problematic vulnerability was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome, affecting an unknown part. The manipulation leads to hard-coded credentials and can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** To resolve the issue, it is recommended to upgrade the affected component. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate (affected versions not specified) Click Studios Passwordstate Browser Extension Chrome (affected versions not specified) **Description** A vulnerability has been found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome, classified as problematic. This issue affects unknown code, leading to insufficiently protected credentials. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Click Studios Passwordstate (affected versions not specified) Click Studios Passwordstate Browser Extension Chrome (affected versions not specified) **Description** A critical issue affects the Browser Extension Provisioning component, leading to improper authorization. The attack can be initiated remotely. It is estimated that an unknown number of devices may be affected. **Recommendations** To resolve the issue, upgrade the affected component. As a temporary workaround, consider restricting access to the Browser Extension Provisioning component until a patch is available.