Stored XSS via Default session expiration time in nilsteampassnet/teampass

Valid

Reported on

Jun 10th 2023

Description

The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page.

Proof of Concept

Login to Teampass and go to Settings => Options. (http://127.0.0.1/index.php?page=options) In theDefault session expiration time input field insert an XSS payload "><svg/onload=alert(document.cookie)>. Save the settings. On a different browser, open the login page. The XSS payload executes.

Impact

A privileged user can insert malicious HTML/JS code in the context of the application affecting all the other users in many different ways.

References

OWASP

We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 6 months ago

A GitHub Issue asking the maintainers to create a SECURITY.md exists 6 months ago

We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 6 months ago

Nils Laumaillé validated this vulnerability 5 months ago

Niraj Khatiwada has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Nils Laumaillé marked this as fixed in 3.0.10 with commit 820bb4 5 months ago

The fix bounty has been dropped

This vulnerability has been assigned a CVE

Nils Laumaillé published this vulnerability 5 months ago

Nils Laumaillé gave praise 5 months ago

thnak you

The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1

to join this conversation