Detections
Analytics
LastPass Firefox Extension 4.0 < 4.1.21a Message Hijacking
high Nessus Plugin ID 92660
Language:
Synopsis
A password manager installed on the remote host is affected by a remote message hijacking vulnerability.Description
According to its version, the LastPass Firefox extension installed on the remote Windows host is 4.0.x prior to 4.1.21a. It is, therefore, affected by a message hijacking vulnerability due to improper validation of messages sent between the extension and a privileged iframe. An unauthenticated, remote attacker can exploit this issue, by convincing a user into loading a specially crafted web page that programmatically clicks a LastPass modified input element, to take full control of the LastPass extension, including creating and deleting files, executing scripts, and disclosing passwords.Solution
Upgrade to LastPass Firefox extension version 4.1.21a or later.See Also
https://bugs.chromium.org/p/project-zero/issues/detail?id=884
https://blog.lastpass.com/2016/07/lastpass-security-updates.html/
https://thehackernews.com/2016/07/lastpass-password-manager.html
Plugin Details
Severity: High
ID: 92660
File Name: lastpass_4_1_21a_firefox_extension_message_hijacking.nasl
Version: 1.7
Type: local
Agent: windows
Family: Windows
Published: 8/1/2016
Updated: 11/15/2018
Supported Sensors: Nessus Agent, Nessus
Risk Information
CVSS v2
Risk Factor: High
Base Score: 9.3
Temporal Score: 6.9
Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS v3
Risk Factor: High
Base Score: 8.8
Temporal Score: 7.7
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: x-cpe:/a:lastpass:lastpass
Required KB Items: Browser/Firefox/Extension
Patch Publication Date: 7/27/2016
Vulnerability Publication Date: 7/27/2016