Lucene search
MnqaziD7B8EA75-C74A-4721-89BB-12E5C80FB0BAHistoryMay 07, 2023 - 12:53 p.m.
Stored HTML injection in folderName affecting Admin
2023-05-0712:53:00
mnqazi
www.huntr.dev
4
html injection
folder vulnerability
admin attack
unauthorized access
sensitive information
redirection
0.002 Low
EPSS
Percentile
61.1%
Description
Here FolderName field is vulnerable to HTML injection, a malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on the admin who edits the folder, as the payload could execute upon the admin’s interaction with the folder. This attack could potentially allow the attacker to gain unauthorized access to the admin’s system or steal sensitive information, or it can force admin to get redirected on attacker website.
Proof of Concept
https://drive.google.com/file/d/1RZjHRZiTPcdIU4qR1cmwL3Tv2f9qVar9/view?usp=sharing
Related
osv
osv
Code injection in nilsteampassnet/teampass
2023-05-24 09:30:25
CVE-2023-2859
2023-05-24 08:15:09
cve
cve
CVE-2023-2859
2023-05-24 08:15:09
veracode
veracode
HTML Injection
2023-06-12 13:18:58
prion
prion
Code injection
2023-05-24 08:15:00
nvd
nvd
CVE-2023-2859
2023-05-24 08:15:09
cvelist
cvelist
CVE-2023-2859 Code Injection in nilsteampassnet/teampass
2023-05-24 00:00:00
github
github
Code injection in nilsteampassnet/teampass
2023-05-24 09:30:25
nessus
nessus
openvas
openvas
TeamPass < 3.0.9 Multiple Vulnerabilities
2023-05-25 00:00:00