CVE-2020-27747
Possible Account Takeover | Brute Force Ability
[Suggested description] An issue was discovered in Click Studios Passwordstate 8.9 (Build 8973). If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code.
[Additional Information] A letter was sent to the vendor about the vulnerability.
[VulnerabilityType Other] CWE-307: Improper Restriction of Excessive Authentication Attempts
[Vendor of Product] Click Studios (https://www.clickstudios.com.au/)
[Affected Product Code Base] Affected version: Passwordstate 8.9 (Build 8973). There are no fixed versions
[Affected Component] Mobile login page
[Attack Type] Remote
[Impact Information Disclosure] true
[Attack Vectors] If the user of the system has assigned himself a PIN code for entering from a mobile device using the built-in generator (4 digits), a remote attacker has the opportunity to conduct a brute force attack on this PIN code.
[Discoverer] Dmitry Kuramin (Jet Infosystems, jet.su)
[Reference] https://jet.su