CVE-2022-4611

MEDIUM

Click Studios Passwordstate - Hard-Coded Credentials

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2022-4611. PoCs published by Phamchie, fgsoftware1.

AI-analyzed exploit summary This PoC exploits CVE-2022-4611 by sending a malformed HTTP request with an oversized 'X-Data' header to trigger a buffer overflow. It establishes a socket connection to the target host and port, sends the crafted payload, and attempts to receive a response.

Description

A vulnerability, which was classified as problematic, was found in Click Studios Passwordstate and Passwordstate Browser Extension Chrome. This affects an unknown part. The manipulation leads to hard-coded credentials. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The identifier VDB-216273 was assigned to this vulnerability.

Exploits (2)

nomisec WORKING POC 2 stars
by Phamchie · poc
https://github.com/Phamchie/CVE-2022-4611

This PoC exploits CVE-2022-4611 by sending a malformed HTTP request with an oversized 'X-Data' header to trigger a buffer overflow. It establishes a socket connection to the target host and port, sends the crafted payload, and attempts to receive a response.

Classification
Working Poc 80%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: Unknown (likely a web server or application vulnerable to buffer overflow in HTTP header processing)
No auth needed
Prerequisites: Network access to the target host and port · Target software must be vulnerable to CVE-2022-4611
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by fgsoftware1 · poc
https://github.com/fgsoftware1/CVE-2022-4611

This Go-based PoC exploits CVE-2022-4611 by sending a crafted HTTP request with a long 'X-Data' header to trigger a buffer overflow, followed by a TCP socket connection to check for output. It targets a vulnerability in an unspecified software, likely a web server or service.

Classification
Working Poc 80%
Attack Type
Dos
Complexity
Trivial
Reliability
Theoretical
Target: Unspecified (likely a web server or service vulnerable to buffer overflow via HTTP headers)
No auth needed
Prerequisites: Network access to the target · Target service running and exposed
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3
Core References
Third Party Advisory vdb-entry
https://vuldb.com/?id.216273
Third Party Advisory signature permissions-required
https://vuldb.com/?ctiid.216273

Scores

CVSS v3 4.3
EPSS 0.0123
EPSS Percentile 65.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Details

CWE
CWE-798
Status published
Products (3)
clickstudios/passwordstate 9.5 build_9500 (7 CPE variants)
clickstudios/passwordstate 9.5.8.4
clickstudios/passwordstate < 9.5
Published Dec 19, 2022
Tracked Since Feb 18, 2026