| 제목 | Uniqkey Password Manager 1.14 - Remote Credential Disclosure |
|---|
| 설명 | Uniqkey Password Manager 1.14 contains a vulnerability which causes remote credential disclosure under certain conditions.
CVE-2019-10676
-------------------------------------------------------------------------------------------------------------------------------------------
When entering new credentials to a site that isn't registered within
the password manager, a pop-up window will appear asking the user
if they want to save these new credentials. This pop-up window will
stay on any page the user visits within the browser until a
decision is made. The code of the pop-up window can be read by remote
servers and contains the login credentials and URL in cleartext.
A malicious server could easily grab this information from the pop-up.
This vulnerability is related to id="uniqkey-password-popup" and password-popup/popup.html.
Fix:
Update to the current version.
-----------------------------------------------------------------------------------------------------------------------------------------------------
Disclosure:
Vendor contacted: 5th Jan 2019
Issue fixed : 23rd Jan 2019
Bug Bounty paid: 4th Feb 2019
The vendor was very professional and responded well most of the time.
Discovered and reported by Gionathan Reale
|
|---|
| 사용자 | GionathanReale (UID 2768) |
|---|
| 제출 | 2019. 04. 02. PM 09:57 (7 연령 ago) |
|---|
| 모더레이션 | 2019. 04. 03. AM 08:14 (10 hours later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 132740 [Uniqkey Password Manager 1.14 Credentials 정보 공개] |
|---|
| 포인트들 | 17 |
|---|