Miggo Logo

CVE-2019-17204: TeamPass Stored Cross-site Scripting

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.4152%
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nilsteampassnet/teampasscomposer<= 2.1.27.36

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The provided vulnerability information describes a stored XSS in the Knowledge Base label handling, but no specific code snippets, commit diffs, or implementation details are available. While the root cause is clearly missing input sanitization/output encoding when processing user-supplied KB labels, the exact PHP functions responsible for (1) storing KB labels in the database or (2) rendering them in HTML templates cannot be identified with high confidence without access to the actual TeamPass codebase structure from version 2.1.27.36. The advisory and issue thread don't provide enough implementation-level details to pinpoint specific functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T**mP*ss *.*.**.** *llows Stor** XSS *y s*ttin* * *r**t** Knowl**** **s* l***l *n* ***in* *ny *v*il**l* it*m.

Reasoning

T** provi*** vuln*r**ility in*orm*tion **s*ri**s * stor** XSS in t** Knowl**** **s* l***l **n*lin*, *ut no sp**i*i* *o** snipp*ts, *ommit *i**s, or impl*m*nt*tion **t*ils *r* *v*il**l*. W*il* t** root **us* is *l**rly missin* input s*nitiz*tion/outpu