Heads up Passbolt Users! As mentioned last week here is the security bulletin on the two vulnerabilities that were discovered by security researchers and both fixed in v4.6.2. Make sure to update to the latest versions and read the full reports on the incident pages: Passbolt Help | Incidents
The first one, a vulnerability identified by security researchers of @quarkslab, would have allowed an attacker capable of observing Passbolt browser extension queries to the Pwned Password API to more easily bruteforce and therefore guess manually entered passwords.
The second one, a vulnerability discovered by Ruben Meeuwissen, would allow for HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, as defined in the default configuration, it may still impact the appearance and user interaction of the page.