CVE-2017-15051: TeamPass stored cross-site scripting (XSS) vulnerability
5.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.36537%
CWE
Published
5/17/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| nilsteampassnet/teampass | composer | < 2.1.27.9 | 2.1.27.9 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The patch adds FILTER_SANITIZE_STRING filtering to URL/login fields in items.queries.php, indicating these were unsanitized input vectors. The vulnerability description explicitly mentions these two injection points (item URL and user log history). The commit shows historical data was rendered with htmlspecialchars_decode() without output encoding in log display logic, and the user profile -> admin log flow matches the second attack vector described.