Miggo Logo

CVE-2019-17203: TeamPass Stored Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.4152%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nilsteampassnet/teampasscomposer<= 2.1.27.36

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability occurs because a crafted password is stored and later rendered unsafely. Two key points of failure are identified: 1) Client-side JavaScript handling password disclosure (high confidence) - the infinite XSS trigger on password reveal strongly suggests insecure DOM manipulation. 2) Server-side HTML generation (medium confidence) - stored XSS typically requires improper output encoding during page rendering. The confidence levels reflect the attack pattern described, though exact function names/paths are inferred based on common implementation patterns in web applications.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**mP*ss *.*.**.** *llows Stor** XSS *t t** S**r** p*** *y s*ttin* * *r**t** p*sswor* *or *n it*m in *ny *ol**r.

Reasoning

T** vuln*r**ility o**urs ****us* * *r**t** p*sswor* is stor** *n* l*t*r r*n**r** uns***ly. Two k*y points o* **ilur* *r* i**nti*i**: *) *li*nt-si** J*v*S*ript **n*lin* p*sswor* *is*losur* (*i** *on*i**n**) - t** in*init* XSS tri***r on p*sswor* r*v**