CVE-2020-35207

Published: Dec 12, 2020Modified: Nov 21, 2024

5.7

Vector

CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 0.5 / Impact: 5.2

Source: NVD

Description

An issue was discovered in the LogMein LastPass Password Manager (aka com.lastpass.ilastpass) app 4.8.11.2403 for iOS. The PIN authentication for unlocking can be bypassed by forcing the authentication result to be true through runtime manipulation. In other words, an attacker could authenticate with an arbitrary PIN. NOTE: the vendor has indicated that this is not an attack of interest within the context of their threat model, which excludes jailbroken devices

Affected (1)

Products: Logmein: Lastpass

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Logmein Lastpass	Version 4.8.11.2403

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (4)

https://github.com/evilblazer/LastPassVulnerabilities

Source: cve@mitre.org

ExploitThird Party Advisory

https://youtu.be/C5j7drIylsQ

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/evilblazer/LastPassVulnerabilities

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://youtu.be/C5j7drIylsQ

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.