GHSA-h6jh-cf83-qcq5

Suggest an improvement
Source
https://github.com/advisories/GHSA-h6jh-cf83-qcq5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-h6jh-cf83-qcq5/GHSA-h6jh-cf83-qcq5.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h6jh-cf83-qcq5
Aliases
Published
2023-05-24T09:30:25Z
Modified
2024-02-16T08:07:55.801133Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator
Summary
Code injection in nilsteampassnet/teampass
Details

nilsteampassnet/teampass prior to 3.0.9 is vulnerable to code injection. A malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on an admin who edits the folder, as the payload could execute upon the admin's interaction with the folder. This attack could potentially allow the attacker to gain unauthorized access to the admin's system or steal sensitive information, or it could force admin to get redirected to a website controlled by the attacker.

Database specific
{
    "nvd_published_at": "2023-05-24T08:15:09Z",
    "cwe_ids": [
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-24T17:32:25Z"
}
References

Affected packages

Packagist / nilsteampassnet/teampass

Package

Name
nilsteampassnet/teampass
Purl
pkg:composer/nilsteampassnet/teampass

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.9

Affected versions

2.*

2.1.21
2.1.26
2.1.27

3.*

3.0.0
3.0.0.10
3.0.0.11