CVE-2023-2859 – nilsteampassnet/teampass

Package

Manager: composer
Name: nilsteampassnet/teampass
Vulnerable Version: >=0 <3.0.9

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.05769 pctl0.9012

Details

Code injection in nilsteampassnet/teampass nilsteampassnet/teampass prior to 3.0.9 is vulnerable to code injection. A malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on an admin who edits the folder, as the payload could execute upon the admin's interaction with the folder. This attack could potentially allow the attacker to gain unauthorized access to the admin's system or steal sensitive information, or it could force admin to get redirected to a website controlled by the attacker.

Metadata

Created: 2023-05-24T09:30:25Z
Modified: 2023-05-31T15:57:56Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-h6jh-cf83-qcq5/GHSA-h6jh-cf83-qcq5.json
CWE IDs: ["CWE-94"]
Alternative ID: GHSA-h6jh-cf83-qcq5
Finding: F422
Auto approve: 1