CVE-2023-2591

HIGH7.1EPSS 0.59%

teampass vulnerable to code injection

發布日:2023/5/9修改日:2024/2/16

描述

In nilsteampassnet/teampass prior to 3.0.7, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. The issue is fixed in version 3.0.7.

受影響套件(1)

Packagist/nilsteampassnet/teampassfrom 0, < 3.0.7

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2023-2591
PATCHhttps://github.com/nilsteampassnet/TeamPass
WEBhttps://github.com/nilsteampassnet/teampass/commit/57a977c6323656e5dc06ab5c227e75c3465a1a4a
WEBhttps://huntr.dev/bounties/705f79f4-f5e3-41d7-82a5-f00441cd984b