HTML Injection in Folder Name in nilsteampassnet/teampass
Jun 6th 2023
The folder name does not sanitize folder name and due to missing output encoding, HTML user-input is rendered in the webpage during folder deletion.
Proof of Concept
- Login to Teampass as any user.
- Go to Folders tab.
- Create a new folder with HTML tag in the Label. Example:
- Select the created folder and click on
- The HTML code from the
Labelis rendered in the webpage.
An user with authorization to create folders can add HTML code to the
Label and add items to the page during folder deletion by other users. This could be used to deceive and phish unsuspecting users.