CVE-2023-35866
low-risk
Published 2023-06-19
In KeePassXC through 2.7.5, a local attacker can make changes to the Database security settings, including master password and second-factor authentication, within an authenticated KeePassXC Database session, without the need to authenticate these changes by entering the password and/or second-factor authentication to confirm changes. NOTE: the vendor's position is "asking the user for their password prior to making any changes to the database settings adds no additional protection against a local attacker."
Do I need to act?
-
0.02% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.5/10
Medium
LOCAL
/ LOW complexity
Affected Products (1)
Affected Vendors
References (10)
Issue Tracking
https://github.com/keepassxreboot/keepassxc/issues/9339
Issue Tracking
https://github.com/keepassxreboot/keepassxc/issues/9391
Issue Tracking
https://github.com/keepassxreboot/keepassxc/issues/9339
Issue Tracking
https://github.com/keepassxreboot/keepassxc/issues/9391
23
/ 100
low-risk
Severity
18/34 · Moderate
Exploitability
0/34 · Minimal
Exposure
5/34 · Minimal