CVE-2023-23349

Summary

Kaspersky has fixed a security issue in Kaspersky Password Manager (KPM) for Windows that allowed a local user to recover the auto-filled credentials from a memory dump when the KPM extension for Google Chrome is used. To exploit the issue, an attacker must trick a user into visiting a login form of a website with the saved credentials, and the KPM extension must autofill these credentials. The attacker must then launch a malware module to steal those specific credentials.

Affected Software

VendorProductVersion RangeStatus
KasperskyKaspersky Password Manager for Windows* < 24.0.0.427affected

Weaknesses

  • CWE-316: CWE-316: Cleartext Storage of Sensitive Information in Memory

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References