Password Auto-Fill Vulnerability in Bitwarden by Bitwarden
CVE-2018-25081

7.5HIGH

Key Information:

Vendor: Bitwarden
Status: Bitwarden
Vendor: CVE Published:; 9 March 2023

What is CVE-2018-25081?

The password auto-fill feature in Bitwarden allows automatic input of credentials through a cross-domain IFRAME, which may expose users to unauthorized data access. Although Bitwarden claims that this feature is not enabled by default and that legitimate uses cases exist for cross-domain configurations, the potential for exploitation remains a concern. Users should be aware of the implications and ensure that their security settings are configured appropriately to mitigate risks associated with this vulnerability.

References

https://github.com/bitwarden/clients/releases

https://flashpoint.io/blog/bitwarden-password-pilfering/

https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Ass...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 9, 2023
Vulnerability Reserved
Mar 8, 2023