CVE-2019-17203: TeamPass Stored Cross-site Scripting
5.4
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.4152%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nilsteampassnet/teampass | composer | <= 2.1.27.36 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability occurs because a crafted password is stored and later rendered unsafely. Two key points of failure are identified: 1) Client-side JavaScript handling password disclosure (high confidence) - the infinite XSS trigger on password reveal strongly suggests insecure DOM manipulation. 2) Server-side HTML generation (medium confidence) - stored XSS typically requires improper output encoding during page rendering. The confidence levels reflect the attack pattern described, though exact function names/paths are inferred based on common implementation patterns in web applications.