Miggo Logo

CVE-2023-3531: TeamPass Cross-site Scripting vulnerability

8.1

CVSS Score
3.0

Basic Information

EPSS Score
0.28647%
Published
7/6/2023
Updated
11/6/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
nilsteampassnet/teampasscomposer< 3.0.103.0.10

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The patch adds critical HTML entity replacements in simplePurifier and fixes data attribute checks in fieldDomPurifierLoop. Pre-patch versions failed to properly sanitize alternative HTML entity encodings and had flawed logic for identifying fields needing purification. The vulnerability manifests in input handling functions where user-controlled data wasn't adequately neutralized before DOM insertion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ross-sit* S*riptin* (XSS) - Stor** in *it*u* r*pository nilst**mp*ssn*t/t**mp*ss prior to *.*.**.

Reasoning

T** p*t** ***s *riti**l *TML *ntity r*pl***m*nts in simpl*Puri*i*r *n* *ix*s **t* *ttri*ut* ****ks in *i*l**omPuri*i*rLoop. Pr*-p*t** v*rsions **il** to prop*rly s*nitiz* *lt*rn*tiv* *TML *ntity *n*o*in*s *n* *** *l*w** lo*i* *or i**nti*yin* *i*l*s n