Description
An issue was discovered in Passbolt Browser Extension before 4.6.2. It can send multiple requests to HaveIBeenPwned while a password is being typed, which results in an information leak.
Recommendation
Update the passbolt-browser-extension package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.6.2
- Patched version(s): 4.6.2
References
- GHSA-xfq4-78j7-v594
- blog.quarkslab.com
- haveibeenpwned.com
- www.passbolt.com
- CVE-2024-33669
- CWE-200
- CAPEC-310
- OWASP 2021-A1
- OWASP 2021-A6
Related Issues
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 4 - CVE-2019-10744
- Prototype Pollution in lodash (GHSA-jf85-cpcp-j695) 2 - CVE-2019-10744
- JSONata expression can pollute the "Object" prototype - CVE-2024-27307
- Improper Certificate Validation in xmlhttprequest-ssl - CVE-2021-31597
- Tags:
- npm
- passbolt-browser-extension
Anything's wrong? Let us know Last updated on June 19, 2025