Lucene search

Veracode Vulnerability DatabaseVERACODE:40866

HistoryJun 12, 2023 - 12:32 p.m.

Cross Site Scripting (XSS)

2023-06-1212:32:27

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

teampass

vulnerability

stored xss

input sanitization

password manager

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

0.001 Low

EPSS

Percentile

23.7%

JSON

teampass password manager is vulnerable to Stored XSS. The vulnerability is due to lack of sanitising user input while creating an item inside a folder which results in running malicious code when the same item is accessed by another user at later point in time.

CPENameOperatorVersion
nilsteampassnet/teampassle3.0.0.11
nilsteampassnet/teampassle3.0.0.11

CPE	Name	Operator	Version
	nilsteampassnet/teampass	le	3.0.0.11
	nilsteampassnet/teampass	le	3.0.0.11

References

drive.google.com/file/d/1tdnqjROAZOxCayaUCAjfLLwkvuQehGy1/view?usp=sharing

github.com/nilsteampassnet/teampass/commit/6ba8cf1f4b89d62a08d122d533ccf4cb4e26a4ee

huntr.dev/bounties/2929faca-5822-4636-8f04-ca5e0001361f