Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNmpoLWNmODMtcWNxNc4AAzc1
Code injection in nilsteampassnet/teampass
nilsteampassnet/teampass prior to 3.0.9 is vulnerable to code injection. A malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on an admin who edits the folder, as the payload could execute upon the admin's interaction with the folder. This attack could potentially allow the attacker to gain unauthorized access to the admin's system or steal sensitive information, or it could force admin to get redirected to a website controlled by the attacker.
Permalink: https://github.com/advisories/GHSA-h6jh-cf83-qcq5JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNmpoLWNmODMtcWNxNc4AAzc1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 7.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N
EPSS Percentage: 0.00323
EPSS Percentile: 0.70304
Identifiers: GHSA-h6jh-cf83-qcq5, CVE-2023-2859
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-2859
- https://github.com/nilsteampassnet/teampass/commit/1f51482a0c4d152ca876844212b0f8f3cb9387af
- https://huntr.dev/bounties/d7b8ea75-c74a-4721-89bb-12e5c80fb0ba
- https://github.com/advisories/GHSA-h6jh-cf83-qcq5
Blast Radius: 4.3
Affected Packages
packagist:nilsteampassnet/teampass
Dependent packages: 0Dependent repositories: 4
Downloads: 26 total
Affected Version Ranges: < 3.0.9
Fixed in: 3.0.9
All affected versions: 2.1.21, 2.1.26, 2.1.27, 3.0.0
All unaffected versions: 3.0.10, 3.1.0, 3.1.1