CVE-2018-25081

HIGH

Bitwarden < 2023.2.1 - Exposure of Sensitive Information via Cross-Domain IFRAME Auto-Fill

Title source: llm
STIX 2.1

Description

Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default.

Scores

CVSS v3 7.5
EPSS 0.0103
EPSS Percentile 59.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact partial

Details

CWE
CWE-200
Status published
Products (1)
bitwarden/bitwarden < 2023.2.1
Published Mar 09, 2023
Tracked Since Feb 18, 2026