Stored XSS on items in Folder in nilsteampassnet/teampass


Reported on

Apr 23rd 2023


first create two user accounts and grant them permission to access a same folder. In one of the accounts, generate a new item within the folder. Paste the payload XSS into this field, then save the item. Once saved, click on the item to activate an XSS alert.

To confirm the success of this action, log in to the other account and navigate to the shared folder. From here, use the mouse to drag the item and observe the XSS alert that appears. This confirms that the XSS payload has been successfully implemented within the shared folder, allowing for further testing and analysis as needed.

Proof of Concept


The impact of this vulnerability is that it enables an attacker to inject malicious code into a shared folder, which can then be executed by other users who have access to the folder. This can potentially lead to a range of serious consequences, such as theft of sensitive data, unauthorized access to systems, and the ability to carry out further attacks.

For instance, an attacker may use this vulnerability to steal user credentials, compromise the confidentiality of sensitive data, or even take control of a victim's account or device. They could also use the vulnerability to propagate malware or ransomware throughout the network. Additionally, if the shared folder is used for collaboration between multiple parties, the vulnerability could allow an attacker to disrupt the work of the entire group, causing loss of productivity and potential financial losses.

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 7 months ago
A GitHub Issue asking the maintainers to create a exists 7 months ago
M Nadeem Qazi
7 months ago


Tested on 3.0.7 version. with latest commit ( cea058d4f178a58ee04c1fa0792a22f8a50842f4 )

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 7 months ago
Nils Laumaillé validated this vulnerability 7 months ago
M Nadeem Qazi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.7 with commit 39b774 7 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Nils Laumaillé published this vulnerability 7 months ago
Nils Laumaillé gave praise 7 months ago
Thank you 👍
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
M Nadeem Qazi
7 months ago



to join this conversation