All incidents

Content scripts running on malicious domain

Summary

  • CVE: N/A.
  • Product affected: Passbolt Browser Extension.
  • Version affected: v1.6.7 and below.
  • Version fixed: v1.6.8.
  • Affected component: Content script injection component (pagemod constructor).
  • Vulnerability Type: Business logic vulnerability.
  • Severity: Medium (4.2).

Impact of issue

Attack vector / exploitation

Credits

Other information

How did you fix this?

var escapedDomain = user.settings.getDomain().replace(/\W/g, "\\$&");
var url = '^' + escapedDomain + '/auth/login/?(#.*)?$';
var regex = new RegExp(url);

Is passbolt server key verification a placebo?

Event timeline

  • 2017-12-27 08:13 PM CET: Vulnerability details sent by reporter.
  • 2017-12-28 05:49 AM CET: We acknowledge the issue, start working on a fix and start looking for similar issues in other part of the code.
  • 2017-12-28 08:19 AM CET: We release a fix on passbolt development repository and start testing with continuous integration tools.
  • 2017-12-28 02:15 PM CET: We deploy a fix on chrome and firefox web extension stores.
  • 2017-12-28 03:00 PM CET: We notify the reporter that a fix has been deployed.
  • 2017-12-28 03:30 PM CET: We publish the fix on github, the release notes and this report.

Current status:

Last updated: 2017-12-28 15:30:00 CET
Flag of European UnionMade in Europe. Privacy by default.