CVE CyberSecurity Database News

CVE-2023-3191 - How Stored XSS in Teampass < 3..9 Lets Attackers Compromise Your Password Manager

Poster -

In today’s world, password management tools are vital for both personal use and businesses. But software is only as safe as its weakest point. In this post, I’ll walk you through the details of a legit security issue: a Stored Cross-site Scripting (XSS) vulnerability tracked as CVE-2023-3191, which was discovered in the popular open-source password manager Teampass, affecting versions before 3..9.

What Is CVE-2023-3191?

Stored Cross-site Scripting (XSS) means a hacker can inject malicious JavaScript into content that gets stored on the server. When another user later views this content, the fiery script runs in their browser. Unlike “reflected XSS”, this isn’t just a one-time thing – the attack code is baked in.

In the case of Teampass (before version 3..9), certain inputs weren’t properly sanitized. Any authenticated user (think: low-privilege coworker, or any account) could insert JavaScript payloads that’d fire when others, like admins, viewed a password entry or certain pages.

- Teampass repo: https://github.com/nilsteampassnet/teampass
- Original disclosure: huntr.dev advisory
- NVD: CVE-2023-3191

Exploit Details: How the Attack Works

Suppose you’re an evil user with a valid login. Wherever Teampass lets you create or rename an item (like a note, folder, or even a password description), you put in something like:

<script>alert('XSS by evil!');</script>

Because earlier versions of Teampass didn’t escape this input for HTML tags, the script gets saved and shown as live code whenever anyone with read rights loads the entry.

Real-world Impact

- Steal credentials: The malicious code can grab passwords, session cookies, or your entire session data.
- Impersonate users: If fired in an admin's browser, the attacker might escalate their rights or create backdoors.

Victim Visits:

When any user with read access views this item, the browser runs the injected code, sending session cookies to the attacker's server!

Prior to version 3..9, Teampass didn’t do proper output escaping in some places. E.g.

// The insecure way (before 3..9)
echo $_POST['label']; // outputs raw user input

// The secure way (after fix)
echo htmlspecialchars($_POST['label'], ENT_QUOTES, 'UTF-8');

Sanitizing like above ensures that tags (like <script>) are never interpreted as code, just shown as text.

How Did They Fix It?

You can spot the patch in this Teampass commit:

// Newly added escaping for all output fields
echo htmlspecialchars($item['label'], ENT_QUOTES, 'UTF-8');

And in version 3..9’s release, the changelog mentions the fix for XSS vulnerabilities. They now sanitize all user-supplied content before displaying it.

Update now!

If you run Teampass, upgrade at least to 3..9 ASAP.

Learn More

- Official Teampass GitHub repo
- CVE-2023-3191 @ NVD
- Full Advisory on huntr.dev

TL;DR: Cross-site scripting bugs can wreck password managers. Teampass < 3..9 had a flaw where any user could plant malicious JavaScript, able to steal passwords or control other sessions. Always keep your tools patched – and never trust user input!


_Share this post with anyone who runs their own password vaults. Security is only good when everyone keeps up._

Timeline

Published on: 06/10/2023 09:15:00 UTC
Last modified on: 06/15/2023 18:40:00 UTC