Executive Summary
During an external penetration test, a reflected cross-site scripting vulnerability was discovered in Netwrix Password Manager which may permit an attacker to execute arbitrary code within the context of the web browser. Netwrix has released a patch for this vulnerability.
Important
Active development of Netwrix Password Manager has ceased and it will become end-of-life on October 17, 2024. Customers still using Netwrix Password Manager are advised to contact their account manager or Netwrix Support.
Vulnerability
| Affected Component | Affected Versions | CVSS 3.1 Score (base / temporal) | Title | Description |
|---|---|---|---|---|
| Netwrix Password Manager | All versions | 6.1 / 5.5 | Reflected Cross-site Scripting in Netwrix Password Manager | A reflected cross-site scripting vulnerability was discovered in Netwrix Password Manager which may permit an attacker to execute arbitrary code within the context of the web browser. |
Exploitability
Factors such as whether details about the vulnerability are publicly known, whether an exploit is readily available, or whether adversaries are actively exploiting the vulnerability are valuable in making risk-based judgements about urgency and priority; customers should use the information below in making those decisions.
| Title | Publicly known? | Exploit available? | Actively exploited? |
|---|---|---|---|
| Reflected Cross-site Scripting in Netwrix Password Manager | No | No | No |
Solution
Netwrix Password Manager customers are advised to take the following actions:
-
If not already running on the latest version, update Netwrix Password Manager to version 6.6.854 (download here). Please contact the Netwrix technical support team should you need assistance.
-
Download the patch and manually replace the included files in the
Web_SSsubdirectory of Netwrix Password Manager installation directory. By default this path isC:\Program Files (x86)\NetWrix Password Manager\Web_SS. -
Discuss options for migrating off of Netwrix Password Manager with your account manager or Netwrix Support.
Official Fixes
Updated software has been released containing official fixes as indicated in the table below.
| Title | Version |
|---|---|
| Reflected Cross-site Scripting in Netwrix Password Manager | Netwrix Password Manager 6.6.854 with manually applied patch |
FAQ
-
How do I determine the version of Netwrix Password Manager?
The version of Netwrix Password Manager can be determined by navigating to the Windows ‘Add/Remove Programs’ control panel and inspecting the version under ‘Netwrix Password Manager’.
Revisions
Updates to this advisory may be made as necessary. Information about each change will be published in the table below.
| Revision | Date | Description |
|---|---|---|
| 1 | 2024-03-26T14:00:00Z | First published |
Disclaimer
The information and materials included in or linked to this Security Advisory are provided on an “as-is” basis and without warranty of any kind, and we disclaim all representations and warranties of any kind, whether express or implied, including warranties of merchantability and fitness for a particular use. You acknowledge and agree that your use of the information and materials included in or linked to this Security Advisory are at your own risk.