Improper handling of input value leads to Remote Code Execution or Denial of Service in nilsteampassnet/teampass


Reported on

Jun 17th 2023


Some value in some input field was directly inserted into a file called "tp.config.php", an attacker can inject malicious PHP code to perform a remote code execution attack.

Proof of Concept

Go to Settings -> MFA -> Duo Security function, input this payload: ',); phpinfo(); ?>// on the "Client ID" field image

Enter for save then click on another tab. Observed that an error shows up and the php code was successfully injected and executed. image


An authenticated Admin can achieve a full remote command execution on the OS level under the web server user.

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 5 months ago
A GitHub Issue asking the maintainers to create a exists 5 months ago
hiu240900 modified the report
5 months ago
hiu240900 modified the report
5 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 5 months ago
Nils Laumaillé validated this vulnerability 5 months ago
hiu240900 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.10 with commit cc6abc 5 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Nils Laumaillé published this vulnerability 5 months ago
Nils Laumaillé gave praise 5 months ago
thank you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation