Incident Management Advisories

Major Incidents

Click Studios has an established Incident Management Plan that is used in the event of major incidents affecting Passwordstate’s operation.

As part of the Incident Management Process, Click Studios will email all customers advising to check this advisories page for updates. Advisories detail the best known information available, at a point in time, and are the only authorized updates for existing and potential customers, media and interested parties. By publishing these advisories, representing the single source of truth, Technical Support Team members, developers and Pre-Sales staff can focus solely on assisting customers with the major incident.

Please be aware that emails to Sales or Support, requesting additional information, will be replied to with a standard response directing the requestor to this Advisories page. Please understand, if Click Studios invokes the Incident Management Plan, our number one priority is working with our customers to identify if they have been affected and advising them of required remedial actions.

We recommend any interested party periodically check this advisories page for the latest updates.

Advisories:

There are no current major incidents at this time.

Common Vulnerabilities and Exposures:

The table below provides a list of Click Studios confirmed information-security vulnerabilities and exposures for Passwordstate or associated modules. Interested parties can subscribe to this list to be notified when new CVEs are added.

Date

  • 2024-03-07
  • 2023-09-25


  • 2023-08-31



  • 2022-11-07
  • 2022-09-05
  • 2022-09-05
  • 2020-10-29
  • 2020-10-05
  • 2018-08-01

CVE(s)

  • CVE-2024-39337
  • CVE-2023-47801


  • CVE-2023-43295



  • CVE-2022-3877
  • CVE-2022-3875
  • CVE-2022-3876
  • CVE-2020-27747
  • CVE-2020-26061
  • CVE-2018-14776

Severity

  • High
  • Low


  • Low



  • Medium
  • High
  • Medium
  • Low
  • High
  • Low

Product

  • Passwordstate Core
  • Passwordstate API


  • Passwordstate Core



  • Passwordstate Core
  • Passwordstate API
  • Passwordstate API
  • Mobile Web Site (Deprecated)
  • Password Reset Portal
  • Passwordstate Core

Description

  • Fixed a potential authentication bypass issue.
  • Incorrect Access Control allowing the potential for an existing Security Administrator to use the System Wide API Key to interact with private password lists for Password History, delete and copy/move API endpoints.
  • Fixed a potential Cross-Site Request Forgery (CSRF) failure, for authenticated sessions, which allowed remote attackers who are able to trick a user into retrying a request to bypass CSRF protection and replay a carefully crafted request.
  • Cross site scripting vulnerability for URL field
  • Authentication bypass by assumed-immutable data
  • Manipulation of the argument PasswordID leads to authorization bypass
  • Lack of brute force attack detection on PIN code authentication
  • A well crafted HTTP request allowed setting a password for a registered user
  • XSS by authenticated users via an uploaded HTML document

Fixed

  • Build 9858
  • Build 9811


  • Build 9795



  • Build 9653
  • Build 9611
  • Build 9611
  • Build 8987
  • Build 8501
  • Build 8397

Subscribe to our Annoucements/Advisories RSS Feed

Subscribe to our RSS Feed for the latest announcements and security advisories.

Simply add the URL of https://forums.clickstudios.com.au/forum/6-announcements.xml to your favorite RSS Reader.