Stored XSS via Default session expiration time in nilsteampassnet/teampass


Reported on

Jun 10th 2023


The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page.

Proof of Concept

Login to Teampass and go to Settings => Options. ( In theDefault session expiration time input field insert an XSS payload "><svg/onload=alert(document.cookie)>. Save the settings. On a different browser, open the login page. The XSS payload executes.


A privileged user can insert malicious HTML/JS code in the context of the application affecting all the other users in many different ways.


We are processing your report and will contact the nilsteampassnet/teampass team within 24 hours. 6 months ago
A GitHub Issue asking the maintainers to create a exists 6 months ago
We have contacted a member of the nilsteampassnet/teampass team and are waiting to hear back 6 months ago
Nils Laumaillé validated this vulnerability 5 months ago
Niraj Khatiwada has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Nils Laumaillé marked this as fixed in 3.0.10 with commit 820bb4 5 months ago
The fix bounty has been dropped
This vulnerability has been assigned a CVE
Nils Laumaillé published this vulnerability 5 months ago
Nils Laumaillé gave praise 5 months ago
thnak you
The researcher's credibility has slightly increased as a result of the maintainer's thanks: +1
to join this conversation