lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <LbTQiYq--3-1@tutanota.com> Date: Tue, 2 Apr 2019 16:23:24 +0200 (CEST) From: <gionreale@...anota.com> To: Fulldisclosure <fulldisclosure@...lists.org> Subject: [FD] Uniqkey Password Manager 1.14 - Remote Credential Disclosure > > Uniqkey Password Manager 1.14 contains a vulnerability which causes remote credential disclosure under certain conditions. > CVE-2019-10676 > > ------------------------------------------------------------------------------------------------------------------------------------------- > > When entering new credentials to a site that isn't registered within > the password manager, a pop-up window will appear asking the user > if they want to save these new credentials. This pop-up window will > stay on any page the user visits within the browser until a > decision is made. The code of the pop-up window can be read by remote > servers and contains the login credentials and URL in cleartext. > A malicious server could easily grab this information from the pop-up. > This vulnerability is related to id="uniqkey-password-popup" and password-popup/popup.html. > > > Fix: > > Update to the current version. > ----------------------------------------------------------------------------------------------------------------------------------------------------- > Disclosure: > > Vendor contacted: 5th Jan 2019 > Issue fixed : 23rd Jan 2019 > Bug Bounty paid: 4th Feb 2019 > > > The vendor was very professional and responded well most of the time. > _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists