The security holes, patched in early November with the release of version 9.6 build 9653, were reported to the developer in August by Swiss cybersecurity firm Modzero.
Modzero researchers discovered a total of seven types of vulnerabilities in Passwordstate, including issues related to authentication and authorization bypass, improper password protection, hardcoded credentials, and a stored cross-site scripting (XSS) flaw.
An API authentication bypass tracked as CVE-2022-3875 has been assigned a ‘critical’ severity rating. It can allow an unauthenticated attacker to bypass authentication for the Passwordstate API, enabling them to gain access to a user’s website passwords, one-time passwords (OTPs), password lists, and other secrets by knowing only their username.
