Click Studios has rolled out an emergency fix for Passwordstate 9.9 to patch a high-severity flaw that is still CVE-pending.
Changelog notes say the flaw allows authentication bypass "when using a carefully crafted URL against the core Passwordstate Products' Emergency Access page".
The company did not immediately respond to a request for details made outside of Australian office hours.
Passwordstate is pitched as an enterprise-grade PAM, with enterprise users charged about $7,600 for a one-off licence. Click Studios says it is in use by hundreds of thousands of IT professionals.
Circa 2012
Click Studios says the emergency access page was introduced as "an account of last resort" in Passwordstate 5, which dates back to 2012.
"The Emergency Access account is a separate built-in account with ‘Security Administrator’ rights that allows login to Passwordstate when other accounts are locked out, or inaccessible for any reason," according to its documentation.
The function has its own login URL, at //<Your Passwordstate URL>/Emergency – which, when accessed, is supposed to mail the requesting IP to all security admins.
Click Studios offers on-request recovery of the emergency access password if it is lost, using in-house tools and values drawn from the Passwordstate database.
Passwordstate's CVE scorecard shows three bypass and three privilege escalation vulnerabilities in 2022, and one code execution problem in 2023.
Sign up for The Stack
Interviews, insight, intelligence, and exclusive events for digital leaders.
No spam. Unsubscribe anytime.
The link has been copied!
