Full Disclosure mailing list archives
Uniqkey Password Manager 1.14 - Remote Credential Disclosure
From: <gionreale () tutanota com>
Date: Tue, 2 Apr 2019 16:23:24 +0200 (CEST)
Uniqkey Password Manager 1.14 contains a vulnerability which causes remote credential disclosure under certain conditions.
CVE-2019-10676
------------------------------------------------------------------------------------------------------------------------------------------- When entering new credentials to a site that isn't registered within the password manager, a pop-up window will appear asking the user if they want to save these new credentials. This pop-up window will stay on any page the user visits within the browser until a decision is made. The code of the pop-up window can be read by remote servers and contains the login credentials and URL in cleartext. A malicious server could easily grab this information from the pop-up. This vulnerability is related to id="uniqkey-password-popup" and password-popup/popup.html. Fix: Update to the current version. ----------------------------------------------------------------------------------------------------------------------------------------------------- Disclosure: Vendor contacted: 5th Jan 2019 Issue fixed : 23rd Jan 2019 Bug Bounty paid: 4th Feb 2019 The vendor was very professional and responded well most of the time.
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Uniqkey Password Manager 1.14 - Remote Credential Disclosure gionreale (Apr 04)
- Uniqkey Password Manager 1.14 - Remote Denial Of Service [CVE-2019-10845] gionreale (Apr 05)
- GAT-Ship Web Module [All versions before 1.40] - Unrestricted File Upload gionreale (Apr 09)
- Uniqkey Password Manager 1.14 - Remote Denial Of Service [CVE-2019-10845] gionreale (Apr 05)