CVE-2019-10676 - OpenCVE

An issue was discovered in Uniqkey Password Manager 1.14. Upon entering new credentials to a site that is not registered within this product, a pop-up window will appear prompting the user if they want to save this new password. This pop-up window will persist on any page the user enters within the browser until a decision is made. The code of the pop-up window can be read by remote servers and contains the login credentials and URL in cleartext. A malicious server could easily grab this information from the pop-up. This is related to id="uniqkey-password-popup" and password-popup/popup.html.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:M/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Uniqkey	Password Manager

Configuration 1 [-]

cpe:2.3:a:uniqkey:password_manager:1.14:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://cxsecurity.com/issue/WLB-2019040055
https://packetstormsecurity.com/files/152410/Uniqkey-Password-Manager-1.14-Credential-Disclosure.html
https://seclists.org/fulldisclosure/2019/Apr/1
https://vuldb.com/?id.132740

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-04-08T16:32:16

Updated: 2024-08-04T22:32:01.335Z

Reserved: 2019-03-31T00:00:00

Link: CVE-2019-10676

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2019-04-08T17:29:00.497

Modified: 2020-08-24T17:37:01.140

Link: CVE-2019-10676

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2019-04-02T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Uniqkey Password Manager 1.14. Upon entering new credentials to a site that is not registered within this product, a pop-up window will appear prompting the user if they want to save this new password. This pop-up window will persist on any page the user enters within the browser until a decision is made. The code of the pop-up window can be read by remote servers and contains the login credentials and URL in cleartext. A malicious server could easily grab this information from the pop-up. This is related to id=\"uniqkey-password-popup\" and password-popup/popup.html."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-04-08T16:32:16", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://seclists.org/fulldisclosure/2019/Apr/1"}, {"tags": ["x_refsource_MISC"], "url": "https://packetstormsecurity.com/files/152410/Uniqkey-Password-Manager-1.14-Credential-Disclosure.html"}, {"tags": ["x_refsource_MISC"], "url": "https://cxsecurity.com/issue/WLB-2019040055"}, {"tags": ["x_refsource_MISC"], "url": "https://vuldb.com/?id.132740"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2019-10676", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Uniqkey Password Manager 1.14. Upon entering new credentials to a site that is not registered within this product, a pop-up window will appear prompting the user if they want to save this new password. This pop-up window will persist on any page the user enters within the browser until a decision is made. The code of the pop-up window can be read by remote servers and contains the login credentials and URL in cleartext. A malicious server could easily grab this information from the pop-up. This is related to id=\"uniqkey-password-popup\" and password-popup/popup.html."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://seclists.org/fulldisclosure/2019/Apr/1", "refsource": "MISC", "url": "https://seclists.org/fulldisclosure/2019/Apr/1"}, {"name": "https://packetstormsecurity.com/files/152410/Uniqkey-Password-Manager-1.14-Credential-Disclosure.html", "refsource": "MISC", "url": "https://packetstormsecurity.com/files/152410/Uniqkey-Password-Manager-1.14-Credential-Disclosure.html"}, {"name": "https://cxsecurity.com/issue/WLB-2019040055", "refsource": "MISC", "url": "https://cxsecurity.com/issue/WLB-2019040055"}, {"name": "https://vuldb.com/?id.132740", "refsource": "MISC", "url": "https://vuldb.com/?id.132740"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:32:01.335Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://seclists.org/fulldisclosure/2019/Apr/1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://packetstormsecurity.com/files/152410/Uniqkey-Password-Manager-1.14-Credential-Disclosure.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://cxsecurity.com/issue/WLB-2019040055"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://vuldb.com/?id.132740"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-10676", "datePublished": "2019-04-08T16:32:16", "dateReserved": "2019-03-31T00:00:00", "dateUpdated": "2024-08-04T22:32:01.335Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:uniqkey:password_manager:1.14:*:*:*:*:*:*:*", "matchCriteriaId": "37A0462E-58EB-41FA-8FBA-C8B2C1872530", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Uniqkey Password Manager 1.14. Upon entering new credentials to a site that is not registered within this product, a pop-up window will appear prompting the user if they want to save this new password. This pop-up window will persist on any page the user enters within the browser until a decision is made. The code of the pop-up window can be read by remote servers and contains the login credentials and URL in cleartext. A malicious server could easily grab this information from the pop-up. This is related to id=\"uniqkey-password-popup\" and password-popup/popup.html."}, {"lang": "es", "value": "Se ha detectado un problema en Uniqkey Password Manager versi\u00f3n 1.14. Al introducir nuevas credenciales a un sitio que no est\u00e1 registrado dentro de este producto, aparecer\u00e1 una ventana emergente que le solicitar\u00e1 al usuario si desea guardar esta nueva contrase\u00f1a. Esta ventana emergente persistir\u00e1 en cualquier p\u00e1gina que el usuario ingresa dentro del navegador hasta que una decisi\u00f3n se haya tomado. El c\u00f3digo de la ventana emergente se puede leer por los servidores remotos y contiene las credenciales de inicio de sesi\u00f3n y la direcci\u00f3n URL en texto sin cifrar. Un servidor malicioso podr\u00eda f\u00e1cilmente tomar esta informaci\u00f3n de la ventana emergente. Esto est\u00e1 relacionado con id=\"uniqkey-password-popup\" y password-popup/popup.html."}], "id": "CVE-2019-10676", "lastModified": "2020-08-24T17:37:01.140", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-04-08T17:29:00.497", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://cxsecurity.com/issue/WLB-2019040055"}, {"source": "cve@mitre.org", "tags": ["VDB Entry", "Third Party Advisory"], "url": "https://packetstormsecurity.com/files/152410/Uniqkey-Password-Manager-1.14-Credential-Disclosure.html"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2019/Apr/1"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://vuldb.com/?id.132740"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "nvd@nist.gov", "type": "Primary"}]}