Vulnerability CVE-2022-28795

Vulnerability Name:

CVE-2022-28795 (CCN-224256)

Assigned:

2022-04-07

Published:

2022-04-07

Updated:

2022-04-20

Summary:

A vulnerability within the Avira Password Manager Browser Extensions provided a potential loophole where, if a user visited a page crafted by an attacker, the discovered vulnerability could trigger the Password Manager Extension to fill in the password field automatically. An attacker could then access this information via JavaScript. The issue was fixed with the browser extensions version 2.18.5 for Chrome, MS Edge, Opera, Firefox, and Safari.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

8.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
7.7 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

9.0 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-noinfo

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2022-28795

Source: XF
Type: UNKNOWN
avira-cve202228795-info-disc(224256)

Source: CCN
Type: Norton Web site
Avira Password Manager-Browser Extensions vulnerable to Sensitive Data Leakage via Phishing

Source: MISC
Type: Third Party Advisory
https://support.norton.com/sp/static/external/tools/security-advisories.html

Source: CCN
Type: Avira Web site
Avira Password Manager Browser Extensions

Vulnerable Configuration:

Configuration 1:

cpe:/a:avira:password_manager:2.18.4:*:*:*:*:safari:*:*

OR cpe:/a:avira:password_manager:2.18.4.3847:*:*:*:*:edge:*:*

OR cpe:/a:avira:password_manager:2.18.4.3847:*:*:*:*:opera:*:*

OR cpe:/a:avira:password_manager:2.18.4.3868:*:*:*:*:chrome:*:*

OR cpe:/a:avira:password_manager:2.18.4.38471:*:*:*:*:firefox:*:*

Denotes that component is vulnerable

BACK