Headline
CVE-2022-28795: Norton Security Advisories
A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.
NLOKSA1506
Avira Password Manager-Browser Extensions vulnerable to Sensitive Data Leakage via Phishing
Advisory Status
CLOSED
Summary
NortonLifeLock has released an update to address an issue that was discovered in Avira Password Manager Browser Extension
Affected Products
Only the following software is affected:
- “Avira Password Manager” - extension for Chrome; version 2.18.4.3868
- “Avira Password Manager” - extension for MS Edge; version 2.18.4.3847
- “Avira Password Manager” - extension for Opera; version 2.18.4.3847
- “Avira Password Manager” - extension for Firefox; version 2.18.4.38471
- “Avira Password Manager” - extension for Safari; version 2.18.4
Issues
Mitigation
Upgrade extensions to following versions:
- “Avira Password Manager” - extension for Chrome; version 2.18.5.3877
- “Avira Password Manager” - extension for MS Edge; version 2.18.5.3877
- “Avira Password Manager” - extension for Opera; version 2.18.5.3877
- “Avira Password Manager” - extension for Firefox; version 2.18.5.38771
- “Avira Password Manager” - extension for Safari; version 2.18.5 (3877)
Users who have not disabled auto-updates receive the updated versions automatically and do not need to take any action
Acknowledgements
Stiftung Warentest
CVE-2022-28795
Severity/CVSSv3:
Critical
Score: 9.6
Vector: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
References
https://nvd.nist.gov/vuln/detail/CVE-2022-28795
Impact
Sensitive Data Leakage
Description
A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.
Additional Recommendations, if any:
We encourage customers to ensure their security software - as well as their tech devices - are always updated to the latest version available. In addition, we encourage users to use two-factor (2FA) authentication as an additional layer of security.