This repository addresses the stored XSS vulnerability discovered in the nilsteampassnet/teampass application, which was assigned the CVE-2023-2516 identifier. The vulnerability can be exploited by creating two user accounts with access to the same folder. By generating a new item within the folder and inserting a payload XSS into the item's name, an attacker can trigger an XSS alert when the item is accessed. This bypasses the previous patch for CVE-2023-2516.
A detailed proof of concept for this vulnerability can be found in video:
The impact of this vulnerability is significant, as it allows an attacker to inject malicious code into a shared folder. Any users with access to the folder can then execute the injected code, leading to severe consequences such as data theft, unauthorized system access, and the potential for further attacks. This vulnerability enables attackers to compromise user credentials, compromise data confidentiality, gain control over victim accounts or devices, and propagate malware or ransomware throughout the network. If the shared folder is used for collaboration between multiple parties, the vulnerability can disrupt the entire group's work, resulting in loss of productivity and potential financial losses.
The vulnerability can be observed in the items.queries.php file, specifically within lines L152-L1932.
For more details on this vulnerability, please refer to the huntr.dev report. or Medium Blog - CVE-2023-3009
You can also follow me for updates on my research and other security-related topics:
- Instagram: @mnqazi
- Twitter: @mnqazi
- Facebook: @mnqazi
- LinkedIn: M_Nadeem_Qazi
Stay safe out there!