Stored XSS on item name - Bypass of (CVE-2023-2516) in nilsteampassnet/teampass
May 26th 2023
first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert. This is the bypass of CVE-2023-2516
Proof of Concept
The impact of this vulnerability is that it enables an attacker to inject malicious code into a shared folder, which can then be executed by other users who have access to the folder. This can potentially lead to a range of serious consequences, such as theft of sensitive data, unauthorized access to systems, and the ability to carry out further attacks.
For instance, an attacker may use this vulnerability to steal user credentials, compromise the confidentiality of sensitive data, or even take control of a victim's account or device. They could also use the vulnerability to propagate malware or ransomware throughout the network. Additionally, if the shared folder is used for collaboration between multiple parties, the vulnerability could allow an attacker to disrupt the work of the entire group, causing loss of productivity and potential financial losses.