CVE-2025-1987 – Stored XSS in Psono-Client via Malicious Vault Entry URLs

https://notcve.org/view.php?id=CVE-2025-1987

21 Jun 2025 — A Cross-Site Scripting (XSS) vulnerability has been identified in Psono-Client’s handling of vault entries of type website_password and bookmark, as used in Bitdefender SecurePass. The client does not properly sanitize the URL field in these entries. As a result, an attacker can craft a malicious vault entry (or trick a user into creating or importing one) with a javascript:URL. When the user interacts with this entry (for example, by clicking or opening it), the application will execute the malicious JavaS... • https://bitdefender.com/support/support/security-advisories/stored-xss-in-psono-client-via-malicious-vault-entry-urls • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •