We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

Stored XSS at Search page in nilsteampassnet/teampass

Valid

Reported on

Jun 25th 2023

Description

Create new item with XSS payload. Then go to Search page, XSS vulnerability will be trigger.

Proof of Concept

https://drive.google.com/file/d/1OB11FmQvy2-qRI9_r1BlavKUxJ4kaMjp/view?usp=sharing

Acknowledge

Tran Van Nhan from bl4ckh0l3 of GalaxyOne

Impact

This can potentially lead to a range of serious consequences, such as theft of sensitive data, unauthorized access to systems, and the ability to carry out further attacks.

References

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 3 months ago
Tran Van Nhan modified the report
3 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 3 months ago
Nils Laumaillé validated this vulnerability 2 months ago
Tran Van Nhan has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.10 with commit cb8ea5 2 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Nils Laumaillé published this vulnerability 2 months ago
items.queries.php#L164-L792 has been validated
Nils Laumaillé gave praise 2 months ago
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation