GHSA-prj5-2g2p-x2mw

Source

https://github.com/advisories/GHSA-prj5-2g2p-x2mw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-prj5-2g2p-x2mw/GHSA-prj5-2g2p-x2mw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-prj5-2g2p-x2mw

Aliases

CVE-2023-2591

Published

2023-05-09T12:30:22Z

Modified

2024-02-16T08:06:56.846182Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N CVSS Calculator

Summary

teampass vulnerable to code injection

Details

In nilsteampassnet/teampass prior to 3.0.7, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. The issue is fixed in version 3.0.7.

Database specific

{
    "nvd_published_at": "2023-05-09T10:15:10Z",
    "cwe_ids": [
        "CWE-79",
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-10T12:50:01Z"
}

References

Affected packages

Packagist / nilsteampassnet/teampass

Package

Name: nilsteampassnet/teampass
Purl: pkg:composer/nilsteampassnet/teampass

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.7

Affected versions

2.*

2.1.21

2.1.26

2.1.27

3.*

3.0.0

3.0.0.10

3.0.0.11