Stored XSS on FolderName Affecting other users and admin. in nilsteampassnet/teampass

Valid

Reported on

May 26th 2023

Description

If two users have same folder permission, malicious users can rename the folder with XSS payload, which will affect the other user, and admin. Payload: "><img src=x onerror=alert(1)>

Proof of Concept

https://drive.google.com/file/d/1ukzcFocVAnd8WKEEo7-zE4iEMVLKUnXt/view

Impact

Malicious users could potentially exploit the vulnerability in the label field of an item to carry out an HTML injection attack, which could redirect other users to an attacker's website or capture their sensitive data through a form. This could result in a variety of negative consequences, including the theft of confidential information, financial loss, and reputational damage to the affected users or organizations. Additionally, the attack could spread further, affecting other users who interact with the compromised item or website, leading to a wider breach of security.

References

Potential Bypass of CVE-2023-2859

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 4 months ago

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 4 months ago

Nils Laumaillé

commented 4 months ago

Maintainer

@srivallikusumba Don't publish on Github. YOu already published here and saw the mail. Multiplying message will not make me fix faster ... it may have the opposite effect Thank you

srivallikusumba

commented 4 months ago

Researcher

sorry for the inconvenience...will not publish on GitHub...just wanted to get some update regarding the bug .

Nils Laumaillé validated this vulnerability 4 months ago

srivallikusumba has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nils Laumaillé marked this as fixed in 3.0.9 with commit 61b9b7 4 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Nils Laumaillé published this vulnerability 4 months ago

Nils Laumaillé gave praise 4 months ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

srivallikusumba

commented 4 months ago

Researcher

Thanks

to join this conversation

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 4 months ago

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 4 months ago

Nils Laumaillé

commented 4 months ago

Maintainer

@srivallikusumba Don't publish on Github. YOu already published here and saw the mail. Multiplying message will not make me fix faster ... it may have the opposite effect Thank you

srivallikusumba

commented 4 months ago

Researcher

sorry for the inconvenience...will not publish on GitHub...just wanted to get some update regarding the bug .

Nils Laumaillé validated this vulnerability 4 months ago

srivallikusumba has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nils Laumaillé marked this as fixed in 3.0.9 with commit 61b9b7 4 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Nils Laumaillé published this vulnerability 4 months ago

Nils Laumaillé gave praise 4 months ago

Thank you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

srivallikusumba

commented 4 months ago

Researcher

Thanks

to join this conversation