Click Studios, developer of the enterprise-centric password management solution PasswordState, said it has released a security update to address a software authentication bypass vulnerability.
An issue that has not yet been assigned a CVE identifier has been addressed in PasswordState 9.9 (Build 9972), released on August 28, 2025.
The Australian company said it has fixed “potential authentication bypass when using carefully created URLs for emergency access pages for Core PasswordState products.”
The latest version also includes improved protections to protect users from potential clickjack attacks intended for browser extensions if they visit compromised sites.
Safeguard may be responding to a finding from security researcher Marectus who detailed a technique called Document Object Model (DOM)-based extension clickjacking earlier this month, in which several password manager browser add-ons were found to be vulnerable.
“Attackers can now steal user data (credit card details, personal data, and login credentials including TOTP) anywhere on attacker-controlled websites,” Tóth said. “The new techniques are common and can be applied to other types of extensions.”
According to Click Studios, the qualification manager is used by 29,000 customers and 370,000 security and IT professionals, spans global businesses, government agencies, financial institutions and Fortune 500 companies.
This disclosure takes place over four years after an attacker suffered a supply chain violation that allowed attackers to hijack software update mechanisms to remove malware that could harvest sensitive information from compromised systems.
Then, in December 2022, Click Studios also resolved multiple security flaws in PasswordState, including authentication bypassing the Password-State API (CVE-2022-3875, CVSS score: 9.1).
Source link
