HTML Injection in Folder Name in nilsteampassnet/teampass

Valid

Reported on

Jun 6th 2023


Description

The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion.

Proof of Concept

  1. Login to Teampass as any user.
  2. Go to Folders tab.
  3. Create a new folder with HTML tag in the Label. Example: <h1>HTML Injection<h1>
  4. Select the created folder and click on Delete.
  5. The HTML code from the Label is rendered in the webpage.

Impact

An user with authorization to create folders can add HTML code to the Label and add items to the page during folder deletion by other users. This could be used to deceive and phish unsuspecting users.

References

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 9 months ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 9 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 9 months ago
Nils Laumaillé validated this vulnerability 8 months ago
nerrorsec has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.9 with commit 241dbd 8 months ago
The fix bounty has been dropped
This vulnerability has now been published 8 months ago
Nils Laumaillé gave praise 8 months ago
Thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation