Impact
The vulnerability stems from insufficient validation of the X-Forwarded-Host HTTP header in Password Manager. An attacker can craft a URL that includes a malicious domain in X-Forwarded-Host. When a victim opens the link, the application redirects them to the attacker‑controlled site, enabling phishing or deception attacks. The flaw is a classic open‑redirection weakness classified as CWE‑601, and although it does not directly compromise data confidentiality or integrity, it can lead to user confusion and credential theft.
Affected Systems
All installed versions of Password Manager prior to the update released on 8 July 2025 are affected. The product is identified by the vendor-name Password Manager, and the patch fixes the issue in the 08_07_2025 release.
Risk and Exploitability
The CVSS score of 5.1 indicates a medium severity weakness. the CVE is not listed in the CISA KEV catalog, implying that documented exploitation is currently low or unknown. The attack requires delivering a crafted link containing a manipulated X-Forwarded-Host header, which an attacker can embed in emails, social media posts, or any URL that a victim may click. Because the exploitation path does not require authentication or prior compromise, the risk is moderate, but the potential phishing impact warrants prompt remediation.
OpenCVE Enrichment