All incidents

PBL-08 Security audit results

Introduction

Vulnerabilities summary

IDProjectIssue nameSeverityStatus
PBL-08-001Browser ExtensionCredentials Leakage via ClickjackingHighFixed in v3.11.1
PBL-08-007Passbolt APISSO-Design prompt=none allows for auth bypassMediumFixed v4.1
PBL-08-002Passbolt styleguidePassphrase Retained In Memory Post-LogoutLowFixed v3.11
PBL-08-003Passbolt APILack of proper ACL for users EndpointLowFixed v3.11
PBL-08-006Passbolt API2FA Status Information Disclosure Via users EndpointInfoFixed v3.11
PBL-08-004Passbolt APINo rate-limiting for 2FA login codeInfoFixed v4.1
PBL-08-005Passbolt APICross-Origin-related HTTP security headers missingInfoFixed v4.1
PBL-08-008Passbolt APILack of explicit CSP on extension manifestInfoFixed v4.1

Current status:

1. Acknowledge issue with reporter
2. Get a fix/patch prepared
3. Release new version
4. Prepare a report about the issue
5. Feature the problem in the release
Last updated: 2023-07-10 08:30:00 CET
Flag of European UnionMade in Europe. Privacy by default.