CVE-2019-17205: TeamPass Stored Cross-site Scripting
6.1
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.61577%
CWE
Published
5/24/2022
Updated
4/24/2024
KEV Status
No
Technology
PHP
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
nilsteampassnet/teampass | composer | <= 2.1.27.36 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unsanitized user input in username fields being stored and displayed in admin logs. The commit diff shows the fix added htmlspecialchars(stripslashes())
around $record['field_1'] in datatable.logs.php
, confirming the missing output encoding was the vulnerability point. The affected code constructs CSV log entries that get rendered as HTML tables, making this the precise XSS injection vector.