GHSA-h6jh-cf83-qcq5

Source

https://github.com/advisories/GHSA-h6jh-cf83-qcq5

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-h6jh-cf83-qcq5/GHSA-h6jh-cf83-qcq5.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h6jh-cf83-qcq5

Aliases

CVE-2023-2859

Published

2023-05-24T09:30:25Z

Modified

2024-02-16T08:07:55.801133Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator

Summary

Code injection in nilsteampassnet/teampass

Details

nilsteampassnet/teampass prior to 3.0.9 is vulnerable to code injection. A malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on an admin who edits the folder, as the payload could execute upon the admin's interaction with the folder. This attack could potentially allow the attacker to gain unauthorized access to the admin's system or steal sensitive information, or it could force admin to get redirected to a website controlled by the attacker.

Database specific

{
    "nvd_published_at": "2023-05-24T08:15:09Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T17:32:25Z"
}

References

Affected packages

Packagist / nilsteampassnet/teampass

Package

Name: nilsteampassnet/teampass
Purl: pkg:composer/nilsteampassnet/teampass

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.9

Affected versions

2.*

2.1.21

2.1.26

2.1.27

3.*

3.0.0

3.0.0.10

3.0.0.11