LastPass Firefox Extension 4.0 < 4.1.21a Message Hijacking

High Nessus Plugin ID 92660


A password manager installed on the remote host is affected by a remote message hijacking vulnerability.


According to its version, the LastPass Firefox extension installed on the remote Windows host is 4.0.x prior to 4.1.21a. It is, therefore, affected by a message hijacking vulnerability due to improper validation of messages sent between the extension and a privileged iframe. An unauthenticated, remote attacker can exploit this issue, by convincing a user into loading a specially crafted web page that programmatically clicks a LastPass modified input element, to take full control of the LastPass extension, including creating and deleting files, executing scripts, and disclosing passwords.


Upgrade to LastPass Firefox extension version 4.1.21a or later.

See Also

Plugin Details

Severity: High

ID: 92660

File Name: lastpass_4_1_21a_firefox_extension_message_hijacking.nasl

Version: $Revision: 1.4 $

Type: local

Agent: windows

Family: Windows

Published: 2016/08/01

Modified: 2017/01/16

Dependencies: 96534

Risk Information

Risk Factor: High


Base Score: 9.3

Temporal Score: 7.7

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:ND


Base Score: 8.8

Temporal Score: 8.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:X

Vulnerability Information

CPE: x-cpe:/a:lastpass:lastpass

Required KB Items: Browser/Firefox/Extension

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/07/27

Vulnerability Publication Date: 2016/07/27

Reference Information

OSVDB: 142154