CVE-2023-24055 - Keepass disputed exploit - is it mitigated on KeePass DX?

[jimmiedave]

From SourceForge discussion:

If an attacker modifies the xml config file (adding an export trigger on 'Opened database file') he will be able to export all the passwords, without us knowing it. Shouldn't the user be asked to confirm before exporting ?

Is this possible on KeePass DX? (I realize OS security should be configured to mitigate in both cases, but is this trigger available in KeePass DX?)

[J-Jamet]

CVE-2023-24055 has absolutely nothing to do with KeePassDX so no debate to have here. It uses a trigger function of the KeePass PC XML program. KeePassDX does not use an internal configuration file, does not have a trigger and uses another OS that does not have the same constraints.

And even if there was this kind of function, it would require, as it is indicated, access to the application file system, that's why it is DISPUTED. Dominik explains the subject well here: https://keepass.info/help/kb/sec_issues.html If the attacker has write access to the configuration file, you already have other problems. If this is the case, nothing prevents the malicious person from using other methods to recover all the contents of your PC and all the encrypted contents when you open an encrypted area.