Miggo Logo
Miggo Vulnerability Database
CVE-2023-3191

CVE-2023-3191: Teampass Cross-site Scripting vulnerability

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-3191
GHSA ID
GHSA-qmw8-x364-xxxm
EPSS Score
0.28766%
CWE
CWE-79
Published
6/10/2023
Updated
11/5/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nilsteampassnet/teampasscomposer< 3.0.93.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The key evidence comes from the commit diff showing fieldSanitizeStep1 was removed and replaced with simplePurifier/fieldDomPurifier functions that enforce safer defaults (bHtml=false). The vulnerability description explicitly mentions improper input sanitization leading to stored XSS, and the patch changes how text inputs are processed. The original function's parameters allowed HTML content by default and its entity decoding before sanitization created an injection risk vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In v*rsions o* nilst**mp*ssn*t/t**mp*ss prior to *.*.* som* us*r input w*s not prop*rly s*nitiz** w*i** m*y **v* l*** to stor** *ross-sit* s*riptin* (XSS) v**tors in t** *ppli**tion.

Reasoning

T** k*y *vi**n** *om*s *rom t** *ommit *i** s*owin* `*i*l*S*nitiz*St*p*` w*s r*mov** *n* r*pl**** wit* `simpl*Puri*i*r/*i*l**omPuri*i*r` *un*tions t**t *n*or** s***r ****ults (**tml=**ls*). T** vuln*r**ility **s*ription *xpli*itly m*ntions improp*r i