CVE-2023-2516 - Cross-site Scripting (XSS) Stored Vulnerability discovered in GitHub repository nilsteampassnet/teampass prior to version 3..7
A significant vulnerability, labeled as CVE-2023-2516, has been discovered in the GitHub repository for the password management solution Teampass. The vulnerability concerns a Cross-site Scripting (XSS) stored issue and affects all versions of Teampass prior to the 3..7 release. The impact of this vulnerability on users is severe, as malicious hackers could potentially execute arbitrary JavaScript code and steal credentials, personal information, or initiate other attacks on their systems.
The affected repository is nilsteampassnet/teampass on GitHub.
Exploit Details
The vulnerability is caused by user inputs not being properly sanitized and encoded before being stored and displayed. This allows an attacker to inject malicious JavaScript code into the input fields, which will then be executed when the stored data is shown to the user.
Here is a code snippet showcasing the vulnerable code segment
// vulnerable code in /sources/items.queries.php
case "store_history":
$html = '<table>';
foreach ($_POST as $key => $value) {
if (!in_array($key, $array_items_keys)) {
$html .= '<tr><td width="40%">'.$key.'</td><td width="60%">'.str_replace('"', """, stripslashes(urldecode($value))).'</td></tr>';
}
}
$html .= '</table>';
In the code above, the store_history case takes POST data and directly inserts it into an HTML table without properly encoding the content. This oversight allows any input containing malicious JavaScript to be inserted into the table and executed when the stored table is retrieved and displayed on the user's screen.
Here is an example of an injected JavaScript code that would get executed by exploiting this vulnerability:
<script>alert("XSS Vulnerability!");</script>
Mitigations and Fixes
To mitigate the risk, users of Teampass are urged to upgrade their installations to version 3..7 or later. The developers behind Teampass have been notified about this vulnerability, and they have patched the issue in the new release.
`php
// Patched code in /sources/items.queries.php
case "store_history":
$html = '';
Timeline
Published on: 05/05/2023 19:15:00 UTC
Last modified on: 05/10/2023 02:20:00 UTC
'.$key.' | '.htmlentities(str_replace('"', """, stripslashes(urldecode($value))), ENT_QUOTES, 'UTF-8').' |
foreach ($_POST as $key => $value) { if (!in_array($key, $array_items_keys)) { $html .= '';