CVE-2023-47801

Vulnerability

In Click Studios Passwordstate versions prior to 9811, users with the Security Administrator role can leverage the System Wide API Key to read or delete private password records when specifically used with the PasswordHistory API endpoint. Additionally, the Copy/Move Password Record API Key can be used to copy or move private password records. This affects all builds before 9811.

Exploitation

An attacker must be an authenticated Security Administrator with access to either the System Wide API Key or the Copy/Move Password Record API Key. They can then craft API requests to the PasswordHistory endpoint to read or delete private password records, or use the Copy/Move API to copy or move private records. No further user interaction is required beyond the initial authentication.

Impact

Successful exploitation allows a Security Administrator to read or delete private password records that should be restricted, leading to unauthorized disclosure or loss of sensitive credentials. The attacker gains the ability to manipulate private password data beyond their intended privileges.

Mitigation

The vulnerability is fixed in Passwordstate version 9811. Users should upgrade to that version or later. No workaround is mentioned in the available references [1].