CVE-2019-16904 — TeamPass Cross-site Scripting (XSS) vulnerability

Description

TeamPass 2.1.27.36 allows XSS by setting a crafted password for an item in a folder, and then sharing that item with an admin. (The crafted password is exploitable when viewing the change history, or the previous used password field.)

How to fix CVE-2019-16904

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2019-16904 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.1.27.36

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16904
PATCHgithub.com/nilsteampassnet/TeamPass
WEBgithub.com/nilsteampassnet/TeamPass/issues/2685
WEBgithub.com/nilsteampassnet/TeamPass/issues/2734