4.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-v86m-j5f7-ccwh

EPSS Score

CWE

CWE-79

Published

5/20/2024

Updated

5/20/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-v86m-j5f7-ccwh

GHSA-v86m-j5f7-ccwh: Passbolt Api E-mail HTML injection

Passbolt sends e-mail to users to warn them about different type of events such as the creation, modification or deletion of a password. Those e-mails may contain user-specified input, such as a password’s title or description.

Passbolt does not escape the user’s input properly, resulting in the user being able to inject HTML code in an e-mail.

An authenticated attacker could share a password containing an img HTML tag in its description with an other user to obtain information about their mail user-agent.

This vulnerability has a very low impact. Most MUA do not embed remote images to protect their users’ privacy.

(GitHub Advisory)

4.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-v86m-j5f7-ccwh

EPSS Score

CWE

CWE-79

Published

5/20/2024

Updated

5/20/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
passbolt/passbolt_api	composer	< 2.7.0	2.7.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from improper HTML escaping in email content. The commit shows:

Removal of HTMLPurifier dependency and replacement with htmlspecialchars
Critical change in Purifier::clean() from HTMLPurifier-based sanitization to basic HTML entity encoding
Removal of 'nohtml' parameter in UserAgentsTable.php that previously limited sanitization

These changes indicate the original Purifier::clean() function failed to properly neutralize HTML in user-controlled fields like password descriptions when generating emails, allowing img tag injection. The high confidence comes from the direct correlation between the patch (switching to htmlspecialchars) and the vulnerability type (HTML injection).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*ss*olt s*n*s *-m*il to us*rs to w*rn t**m **out *i***r*nt typ* o* *v*nts su** *s t** *r**tion, mo*i*i**tion or **l*tion o* * p*sswor*. T*os* *-m*ils m*y *ont*in us*r-sp**i*i** input, su** *s * p*sswor*’s titl* or **s*ription. P*ss*olt *o*s not *s*

Reasoning

T** vuln*r**ility st*mm** *rom improp*r *TML *s**pin* in *m*il *ont*nt. T** *ommit s*ows: *. R*mov*l o* *TMLPuri*i*r **p*n**n*y *n* r*pl***m*nt wit* *tmlsp**i*l***rs *. *riti**l ***n** in Puri*i*r::*l**n() *rom *TMLPuri*i*r-**s** s*nitiz*tion to **si

4.4

Basic Information

Concerned about an active attack path?

GHSA-v86m-j5f7-ccwh: Passbolt Api E-mail HTML injection

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI