Headline
CVE-2023-3565: Stored XSS via Default session expiration time in teampass
Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
Description
The Default session expiration time feature when submitted HTML/JS tags executes the code in the login page.
Proof of Concept
Login to Teampass and go to Settings => Options. (http://127.0.0.1/index.php?page=options) In theDefault session expiration time input field insert an XSS payload "><svg/onload=alert(document.cookie)>. Save the settings. On a different browser, open the login page. The XSS payload executes.
Impact
A privileged user can insert malicious HTML/JS code in the context of the application affecting all the other users in many different ways.
Related news
Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.