Click Studios
Incident Management Advisories

Major Incidents

Click Studios has a well-defined Incident Management Plan designed to effectively address and mitigate major incidents that impact the operation of Passwordstate.

As part of our structured Incident Response Process, Click Studios will notify all customers via email, directing them to this advisories page for the latest updates. These advisories serve as the authoritative source of information, ensuring all stakeholders, including existing and potential customers, media representatives, and other interested parties, receive accurate and timely updates.

By centralizing incident communications through this channel, our Technical Support Team, development staff, and Pre-Sales specialists can focus on advising the required remedial actions to affected customers, ensuring minimal disruption and rapid resolution.

Please note that any email notifications sent during an incident will reference this advisories page as the single source of truth. We strongly advise all customers to rely exclusively on this page for verified information.

Advisories:

At this time, there are no active major incidents affecting Passwordstate.

Common Vulnerabilities and Exposures (CVEs):

The table below outlines confirmed information security vulnerabilities and exposures identified in Passwordstate or its associated modules. Click Studios maintains full transparency regarding security risks and is committed to promptly addressing and mitigating vulnerabilities.

Date

  • 2024-11-25
  • 2024-03-07
  • 2023-09-25


  • 2023-08-31



  • 2022-11-07
  • 2022-09-05
  • 2022-09-05
  • 2020-10-29
  • 2020-10-05
  • 2018-08-01

CVE(s)

  • CVE-2024-54124
  • CVE-2024-39337
  • CVE-2023-47801


  • CVE-2023-43295



  • CVE-2022-3877
  • CVE-2022-3875
  • CVE-2022-3876
  • CVE-2020-27747
  • CVE-2020-26061
  • CVE-2018-14776

Severity

  • Low
  • High
  • Low


  • Low



  • Medium
  • High
  • Medium
  • Low
  • High
  • Low

Product

  • Passwordstate Core
  • Passwordstate Core
  • Passwordstate API


  • Passwordstate Core



  • Passwordstate Core
  • Passwordstate API
  • Passwordstate API
  • Mobile Web Site (Deprecated)
  • Password Reset Portal
  • Passwordstate Core

Description

  • Fixed a potential permission escalation on the edit folder screen.
  • Fixed a potential authentication bypass issue.
  • Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
  • Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
  • Cross site scripting vulnerability for URL field
  • Authentication bypass by assumed-immutable data
  • Manipulation of the argument PasswordID leads to authorization bypass
  • Lack of brute force attack detection on PIN code authentication
  • A well crafted HTTP request allowed setting a password for a registered user
  • XSS by authenticated users via an uploaded HTML document

Fixed

  • Build 9920
  • Build 9858
  • Build 9811


  • Build 9795



  • Build 9653
  • Build 9611
  • Build 9611
  • Build 8987
  • Build 8501
  • Build 8397

Subscribe to our Annoucements/Advisories RSS Feed

To stay informed about newly identified CVEs, interested parties can subscribe to our RSS Feed and receive timely updates as new advisories are published.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.