CVE-2022-28795:Vulnerability in Avira Password Manager Browser Extensions could cause automatic filling of the password field on attacker-crafted pages, enabling potential credential leakage via JavaScript; fixed in version 2.18.5 across Chrome, Edge, Opera, Firefox, and Safari.

splash
Back

Description Preview

A vulnerability in the Avira Password Manager browser extensions allowed an attacker to trigger the extension to auto-fill the password field when a user visits a page crafted by the attacker. This could enable an attacker to access the filled password via JavaScript on the page, leading to sensitive data leakage. The issue affected multiple browser extension versions across Chrome, MS Edge, Opera, Firefox, and Safari, specifically the Chrome extension and various 2.18.4.x releases (e.g., MS Edge 2.18.4.3868, Opera and Firefox 2.18.4.3847, Safari 2.18.4.38471, and a generic 2.18.4). The vulnerability was addressed with browser extension version 2.18.5 for all listed browsers (Chrome, Edge, Opera, Firefox, and Safari).

Overview

This CVE describes a sensitive data leakage flaw in Avira Password Manager’s browser extensions where a page crafted by an attacker could trigger the extension to auto-fill credentials, exposing them to the attacker via JavaScript. Affected were the Chrome extension and 2.18.4.x releases across Edge, Opera, Firefox, and Safari. The issue has been fixed in version 2.18.5 for all supported browsers, mitigating the leakage vector.

Remediation

  • Update to Avira Password Manager browser extension version 2.18.5 or newer for Chrome, MS Edge, Opera, Firefox, and Safari.
  • If automatic updates are disabled, manually update or reinstall the extension on all supported browsers to ensure the patched version is installed.
  • After updating, restart the browsers to ensure the new extension is loaded.
  • If upgrading is not possible in the short term, temporarily disable the Avira Password Manager extension until an update can be applied.
  • Enforce automatic updates for extensions where possible and monitor for security advisories related to password manager extensions.
  • As a general security measure, minimize exposure by restricting or auditing browser extensions, keeping all software up to date, and practicing caution with pages from untrusted sources.

References

  • Norton Security Advisories: https://support.norton.com/sp/static/external/tools/security-advisories.html
  • MITRE CVE-2022-28795: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28795

Industry ExposureMost to least
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.

  1. Accommodation & Food Services: Low
    Accommodation & Food Services
  2. Administrative, Support, Waste Management & Remediation Services: Low
    Administrative, Support, Waste Management & Remediation Services
  3. Agriculture, Forestry Fishing & Hunting: Low
    Agriculture, Forestry Fishing & Hunting
  4. Arts, Entertainment & Recreation: Low
    Arts, Entertainment & Recreation
  5. Construction: Low
    Construction
  6. Educational Services: Low
    Educational Services
  7. Finance and Insurance: Low
    Finance and Insurance
  8. Health Care & Social Assistance: Low
    Health Care & Social Assistance
  9. Information: Low
    Information
  10. Management of Companies & Enterprises: Low
    Management of Companies & Enterprises
  11. Manufacturing: Low
    Manufacturing
  12. Mining: Low
    Mining
  13. Other Services (except Public Administration): Low
    Other Services (except Public Administration)
  14. Professional, Scientific, & Technical Services: Low
    Professional, Scientific, & Technical Services
  15. Public Administration: Low
    Public Administration
  16. Real Estate Rental & Leasing: Low
    Real Estate Rental & Leasing
  17. Retail Trade: Low
    Retail Trade
  18. Transportation & Warehousing: Low
    Transportation & Warehousing
  19. Utilities: Low
    Utilities
  20. Wholesale Trade: Low
    Wholesale Trade

Focus on What Matters

  1. See Everything.
  2. Identify True Risk.
  3. Proactively Mitigate Threats.

Let's talk!

background