CVE-2023-2591
teampass vulnerable to code injection
7.1
HIGH
CVSS 3.1
EPSS 0.59%
Description
In nilsteampassnet/teampass prior to 3.0.7, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. The issue is fixed in version 3.0.7.
How to fix CVE-2023-2591
To remediate CVE-2023-2591, upgrade the affected package to a fixed version below.
- —upgrade to 3.0.7 or later
Is CVE-2023-2591 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 3.0.7
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N |