CVE-2025-1987
BaseFortify
Publication date: 2025-06-21
Last updated on: 2025-07-30
Assigner: Bitdefender
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| esaqa | psono_client | to 4.0.4 (inc) |
| bitdefender | securepass | to 0.0.76 (exc) |
| bitdefender | securepass | to 1.0.10 (exc) |
| bitdefender | securepass | to 1.1.8 (exc) |
| bitdefender | securepass | to 1.1.18 (exc) |
| bitdefender | securepass | to 1.1.22 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in the Psono-Client component of Bitdefender SecurePass. It occurs because the client does not properly sanitize the URL field in vault entries of type website_password and bookmark. An attacker can create or trick a user into importing a malicious vault entry containing a javascript:URL. When the user interacts with this entry, the malicious JavaScript executes within the Psono vault context, allowing the attacker to run arbitrary code in the victim's browser and potentially access sensitive data like the user's password vault.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the victim's browser when interacting with a malicious vault entry. This can lead to unauthorized access to the user's password vault and sensitive data stored within it, potentially compromising the user's credentials and other confidential information.