Overview

• Click Studios urged immediate upgrades to Passwordstate 9.9 (Build 9972), which fixes an authentication bypass triggered by a crafted URL on the Emergency Access page.
• The company confirmed the flaw allows navigation into the Administration section without proper authentication when the malicious URL is used.
• Customers unable to update right away were instructed to restrict Emergency Access to specific IP ranges as a short-term, partial mitigation.
• The release also adds protections to the Passwordstate browser extension to reduce exposure to DOM-based clickjacking techniques highlighted by researcher Marek Tóth.
• Passwordstate is used by about 29,000 organizations and 370,000 IT and security professionals, and prior incidents include a 2021 update-channel breach and a 2022 API authentication bypass CVE.