CVE-2023-2591
published 2023-05-09CVE-2023-2591: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.61%
44.6th percentile
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nilsteampassnet | nilsteampassnet_teampass | >= unspecified < 3.0.7 | 3.0.7 |
| nilsteampassnet | teampass | >= 0 < 3.0.7 | 3.0.7 |
| teampass | teampass | < 3.0.7 | 3.0.7 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
teampass vulnerable to code injection
osv·2023-05-09
CVE-2023-2591 [HIGH] teampass vulnerable to code injection
teampass vulnerable to code injection
In nilsteampassnet/teampass prior to 3.0.7, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. The issue is fixed in version 3.0.7.
GHSA
teampass vulnerable to code injection
ghsa·2023-05-09
CVE-2023-2591 [HIGH] CWE-79 teampass vulnerable to code injection
teampass vulnerable to code injection
In nilsteampassnet/teampass prior to 3.0.7, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. The issue is fixed in version 3.0.7.
No detection rules found.
No writeups or analysis indexed.
https://github.com/nilsteampassnet/teampass/commit/57a977c6323656e5dc06ab5c227e75c3465a1a4ahttps://huntr.dev/bounties/705f79f4-f5e3-41d7-82a5-f00441cd984bhttps://github.com/nilsteampassnet/teampass/commit/57a977c6323656e5dc06ab5c227e75c3465a1a4ahttps://huntr.dev/bounties/705f79f4-f5e3-41d7-82a5-f00441cd984b
2023-05-09
Published