PV

You are right Horst, no further discussion are needed here. I am not donating any more and keepass is dead for me, unless some basic changes are made. Have a nice life!

Hello Schultz, the topic of this conversation reads: "someone can read the passwords using export trigger" -> STILL someone can modify your config file to add an export trigger (ok let's say here is keepass not responsible) -> STILL Keepass reads the modified config file and executes the export trigger -> STILL The exported passwords are in clear text So what is the FIX here ???

Hello Schultz, you wrote the issue by your self and you can read it as topic of this conversation: "someone can read the passwords using export trigger" -> STILL someone can modify your config file to add an export trigger (ok let's say here is keepass not responsible) -> STILL Keepass reads the modified config file and executes the export trigger -> STILL The exported passwords are in clear text So what is the FIX here ???

Hello Schultz, you wrote the issue by your self and you can read it as topic of this conversation: "someone can read the passwords using export trigger" -> STILL someone can modify you config file to add an export trigger (ok here keepass not responible) -> STILL Keepass reads the modified config file and executes the export trigger -> STILL The exported passwords are in clear text So what is the FIX here ???

I tested the new version 2.53.1 Yes, keepass asks for a second time for the password but with the same login mask with a slightly modified popup title: "Enter current Master Key (Export)" A normal User will think, he mistyped the master password the first time and will enter the password again. The second time the export will trigger and the attacker will still get the exported clear text password again. SO... no fix at all!!!

Dear Dominik Reichl, when will we see an update that fixes the export trigger vulnerability issues?

Oh yeah, you're right. The attacker must know the password in that case. My bad, sorry.

That's not a solution, because KeePassXC has no own database file type. KeePass can open a database saved with KeePassXC. So when you save the database with KeePassXC an attacker can use his own portable KeePass with an export trigger in its configuration file and still export your database.