lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 2 Apr 2019 16:23:24 +0200 (CEST)
From: <gionreale@...anota.com>
To: Fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Uniqkey Password Manager 1.14 - Remote Credential Disclosure



>
> Uniqkey Password Manager 1.14 contains a vulnerability which causes remote credential disclosure under certain conditions.
>
CVE-2019-10676

>
> -------------------------------------------------------------------------------------------------------------------------------------------
>
> When entering new credentials to a site that isn't registered within
> the password manager, a pop-up window will appear asking the user
> if they want to save these new credentials. This pop-up window will
> stay on any page the user visits within the browser until a
> decision is made. The code of the pop-up window can be read by remote
> servers and contains the login credentials and URL in cleartext.
> A malicious server could easily grab this information from the pop-up.
> This vulnerability is related to id="uniqkey-password-popup" and password-popup/popup.html.
>
>
> Fix:
>
> Update to the current version.
> -----------------------------------------------------------------------------------------------------------------------------------------------------
> Disclosure:
>
> Vendor contacted: 5th Jan 2019
> Issue fixed : 23rd Jan 2019
> Bug Bounty paid: 4th Feb 2019
>
>
> The vendor was very professional and responded well most of the time. 
>


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists