LastPass Firefox Extension 4.0 < 4.1.21a Message Hijacking

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.

Synopsis :

A password manager installed on the remote host is affected by a
remote message hijacking vulnerability.

Description :

According to its version, the LastPass Firefox extension installed on
the remote Windows host is 4.0.x prior to 4.1.21a. It is, therefore,
affected by a message hijacking vulnerability due to improper
validation of messages sent between the extension and a privileged
iframe. An unauthenticated, remote attacker can exploit this issue, by
convincing a user into loading a specially crafted web page that
programmatically clicks a LastPass modified input element, to take
full control of the LastPass extension, including creating and
deleting files, executing scripts, and disclosing passwords.

See also :

Solution :

Upgrade to LastPass Firefox extension version 4.1.21a or later.

Risk factor :

High / CVSS Base Score : 9.3
CVSS Temporal Score : 7.7
Public Exploit Available : true

Family: Windows

Nessus Plugin ID: 92660 ()

Bugtraq ID:


Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now