CVE-2023-3086 : Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampas

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Published 2023-06-03 12:15:09

Updated 2023-06-09 13:59:50

Source huntr.dev

View at NVD, CVE.org

Vulnerability category: Cross site scripting (XSS)

Products affected by CVE-2023-3086

Teampass » Teampass
Versions before (<) 3.0.9
cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*
Matching versions

EPSS FAQ

0.21%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 44 %

Percentile, the proportion of vulnerabilities that are scored at or less

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
9.0	CRITICAL	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	2.3	6.0	huntr.dev
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High
9.0	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H	2.3	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: Required Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Assigned by: security@huntr.dev (Primary)

https://github.com/nilsteampassnet/teampass/commit/1c0825b67eb8f8b5ecc418ff7614423a275e6a79

3.0.9 · nilsteampassnet/TeamPass@1c0825b · GitHub
Patch
https://huntr.dev/bounties/17be9e8a-abe8-41db-987f-1d5b0686ae20

Stored XSS on items in Folder in nilsteampassnet/teampass lead to ATO vulnerability found in teampass
Exploit;Patch;Third Party Advisory

Jump to