Description
An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak.
Recommendation
Update the passbolt-browser-extension package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.6.2
- Patched version(s): 4.6.2
References
- GHSA-xfq4-78j7-v594
- blog.quarkslab.com
- haveibeenpwned.com
- www.passbolt.com
- CVE-2024-33669
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views (GHSA-v8gg-4mq2-88q4) 2 - CVE-2023-36472
- Strapi may leak sensitive user information, user reset password, tokens via content-manager views - CVE-2023-36472
- CouchAuth host header injection vulnerability leaks the password reset token - CVE-2023-39655
- react-native-mmkv Insertion of Sensitive Information into Log File vulnerability - CVE-2024-21668
- Tags:
- npm
- passbolt-browser-extension
Anything's wrong? Let us know Last updated on June 19, 2025