- Passwordstate’s latest version patches an authentication compass — Error
- It can be abused to access the PasswordState Administration section without approval
- There are solutions too
Passwordstate, a business administrative administrator tailored to organizations and IT and security teams, calls on users to update their occurrences to the latest version and mitigate risks of potential approval attacks.
“Today we have released Build 9972, which includes 2 security updates,” said Klikstudios, the company behind Passwordstate, in its security advice. “We recommend that customers upgrade as soon as possible.”
Changelog for PasswordState 9.9 – Build 9972, talking about a “potential approval round when using a carefully designed URL against Core Passwordstate Products’ Emergency Access page”.
Solution and mitigation
CVEID for the vulnerability is currently pending, so we do not know the difficulty at the moment, but we know well that utilization of it allows threat players to access the password -management section. Depending on how easy it is to pull off, the difficulty could be quite high.
In a speech with bleeping computer, click Studios also said there was a solution for those who cannot patch so quickly: “The only partial work for this is to set the emergency access allowed IP address to your web server under System Settings-> allowed IP intervals. This is a short-term partial FIX and click studies 9972 as possible. “
Passwordstate is a secure password, which is used to store, organize and control passwords, API keys, certificates and other secrets. It is primarily an on-prem solution, although cloud-based options are also available. It is praised for its functionality at company level and affordable prices against PAM tools at higher prices, but is also criticized for its steeper technical learning curve, setup, server requirements and UI complexity.
Click on Studios claims it is used by more than 370,000 users working in 29,000 companies, including public agencies, financial institutions, global companies, Fortune 500 companies and others.
Via Bleeping computer
