CVE-2018-25081
HIGHBitwarden < 2023.2.1 - Exposure of Sensitive Information via Cross-Domain IFRAME Auto-Fill
Title source: llmDescription
Bitwarden through 2023.2.1 offers password auto-fill within a cross-domain IFRAME element. NOTE: the vendor's position is that there have been important legitimate cross-domain configurations (e.g., an apple.com IFRAME element on the icloud.com website) and that "Auto-fill on page load" is not enabled by default.
References (4)
Core 4
Core References
Technical Description, Vendor Advisory
https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf
Exploit, Third Party Advisory
https://flashpoint.io/blog/bitwarden-password-pilfering/
Release Notes
https://github.com/bitwarden/clients/releases
Third Party Advisory
https://news.ycombinator.com/item?id=35075861
Scores
CVSS v3
7.5
EPSS
0.0103
EPSS Percentile
59.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (1)
bitwarden/bitwarden
< 2023.2.1
Published
Mar 09, 2023
Tracked Since
Feb 18, 2026