Ruben Meeuwissen

**Name of the Vulnerable Software and Affected Versions** Passbolt Browser Extension versions prior to 4.6.2 **Description** An issue in the Passbolt Browser Extension results in an information leak. As a user types a password, multiple requests are sent to HaveIBeenPwned, allowing an attacker who can observe these HTTPS queries to the Pwned Password API to more easily brute force manually typed passwords. **Recommendations** For versions prior to 4.6.2, update to version 4.6.2 or later to resolve the issue. As a temporary workaround, consider disabling the password checking feature that sends requests to HaveIBeenPwned until a patch is applied. Restrict access to sensitive information and use additional security measures to protect against brute force attacks.

**Name of the Vulnerable Software and Affected Versions** Passbolt API versions prior to 4.6.2 **Description** The issue allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page. **Recommendations** For Passbolt API versions prior to 4.6.2, update to version 4.6.2 or later to resolve the issue. As a temporary workaround, consider restricting access to URL parameters to minimize the risk of exploitation.