Kaspersky Fixes Security Issue in Password Manager Allowing Credentials Recovery
CVE-2023-23349

2.2LOW

Key Information:

Vendor: Kaspersky
Status: Kaspersky Password Manager For Windows
Vendor: CVE Published:; 22 March 2024

Summary

A security issue has been identified in Kaspersky Password Manager for Windows that permits a local user to retrieve auto-filled credentials through a memory dump while the KPM extension for Google Chrome is active. To exploit this vulnerability, an attacker can entice a user into interacting with a malicious login form that auto-fills saved credentials from Kaspersky Password Manager. Following this, the attacker must deploy a malware component to extract the specified credentials, which may lead to unauthorized access and compromise of sensitive user information.

Affected Version(s)

Kaspersky Password Manager for Windows * < 24.0.0.427

References

https://support.kaspersky.com/vulnerability/list-of-advis...

vendor-advisory

CVSS V3.1

Score:

2.2

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 22, 2024
Vulnerability Reserved
Jan 11, 2023

Credit

Efstratios Chatzoglou

Zisis Tsiatsikas

Vyron Kampourakis