CVE-2024-33669

Name of the Vulnerable Software and Affected Versions Passbolt Browser Extension versions prior to 4.6.2

Description An issue in the Passbolt Browser Extension results in an information leak. As a user types a password, multiple requests are sent to HaveIBeenPwned, allowing an attacker who can observe these HTTPS queries to the Pwned Password API to more easily brute force manually typed passwords.

Recommendations For versions prior to 4.6.2, update to version 4.6.2 or later to resolve the issue. As a temporary workaround, consider disabling the password checking feature that sends requests to HaveIBeenPwned until a patch is applied. Restrict access to sensitive information and use additional security measures to protect against brute force attacks.