lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <LbgYb6J--3-1@tutanota.com>
Date: Fri, 5 Apr 2019 10:16:54 +0200 (CEST)
From: <gionreale@...anota.com>
To: Fulldisclosure <fulldisclosure@...lists.org>
Subject: [FD] Uniqkey Password Manager 1.14 - Remote Denial Of Service
 [CVE-2019-10845]


An issue was discovered in Uniqkey Password Manager 1.14.
When entering new credentials to a site that isn't registered within
this product, a pop-up window will appear asking the user if
they want to save these new credentials. The code of the pop-up window
can be read and, to some extent, manipulated by remote servers. This
pop-up window will stay on any page the user visits within the browser
until a decision is made. A malicious web server can forcefully
manipulate the pop-up and cause it not to appear, stopping users from
securing their credentials. This vulnerability is related to
id="uniqkey-password-popup" and password-popup/popup.html, but is a
different vulnerability than CVE-2019-10676.


Vendor informed: 5th Jan 2019

Discovered by Gionathan Reale

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ