Statement on CVE-2023-24055?

[lathspell]

It would be nice if you could add some kind of statement on the website or release notes, whether or not KeePassXC is affected from the recent security bug in the KeePass project.

https://nvd.nist.gov/vuln/detail/CVE-2023-24055

[phoerious]

KeePassXC is not affected, because it doesn't support triggers.

[lionkmp]

What if an attacker edits the config and instructs my KeePassXC to export my database into a file? By editing this section. So what when I start it next time? (I don't know, I'm just asking.)

[KeeShare]
Active="<?xml version=\"1.0\...

(ps: I agree with original KeePass response saying that if an attacker can write there, it's already doomed. And I don't know if this section by itself - in KeePassXC can instruct the program to do an export or import. I can see my import path in there.)

Maybe the export/import settings could be within the encrypted database, rather than in the ini file?

[droidmonkey]

That setting has absolutely nothing to do with exporting database entries. That is your signing key used by keeshare which is a feature that is no longer used for any meaningful purpose.

[Cologler]

If someone can edit your files, why don't they just replace your keepassxc.exe with a fake keepassxc?

[droidmonkey]

@Cologler

1. If you installed keepassxc then it would be placed in a protected area of the operating system (one that requires admin access). Then this attack is not possible as a normal user.

2. The config files are stored in user editable directories by necessity.

[Cologler]

@droidmonkey The installer need admin premission. So when the user install the software from attacker, the attacker already got the admin premission.

[droidmonkey]

If you run malware as an admin there is nothing anyone or thing can do to protect you.

[Cologler]

@droidmonkey I agree with KeePass and KeePassXC can only protect us when the database is closed, so we can place the database on the cloud service.