Help Search

PBL-11 Security audit results


In the lead-up to the stable release of the Passbolt UWP Windows application, the Cure53 team dedicated two days to a focused audit on the application’s native layer. This review revealed a total of five findings—four security vulnerabilities and one general weakness—which were all solved prior to the v1.0 release.

Quotes from the conclusion of the report: “Upon completion of this security audit, Cure53 gained a strong impression of the security premise employed by the Passbolt team. The quality of the codebase was generally impressive, while the architecture and frameworks employed generally installed resilient design paradigms.”

In addition to the detailed findings of this audit, the security incident section also houses separate reports that examine the browser extensions. Interestingly, some of the code of the extension is also used in the Desktop application, and will give more details on other components of this application.

All the issues have been fixed or mitigations have been implemented as of 11th April 2024.

You can read more about the security audit by reading the full report.

A big thank you from the Passbolt team to Cure53 for their collaborative spirit and expertise shared during this project.

Vulnerabilities summary

ID Issue name Severity Status
PBL-11-001 Insecure Regex pattern allows canNavigate bypass Medium Mitigated in v1.0
PBL-11-002 PasswordVault can be accessed by Desktop apps Low Mitigated in v1.0
PBL-11-003 JS execution by modifying LocalFolder Resources Low Mitigated in v1.0
PBL-11-004 Insecure CSP Configuration in renderers Low Mitigated in v1.0
PBL-11-005 Arbitrary requestId used as topic in background Medium Mitigated in v1.0

Last updated

This article was last updated on April 15th, 2024.

🍪   Do you accept cookies for statistical purposes? (Read more) Accept No thanks!