CVE-2023-2859 — Code injection in nilsteampassnet/teampass

Description

nilsteampassnet/teampass prior to 3.0.9 is vulnerable to code injection. A malicious user could potentially rename a folder with a payload containing malicious code. This could result in an attack on an admin who edits the folder, as the payload could execute upon the admin's interaction with the folder. This attack could potentially allow the attacker to gain unauthorized access to the admin's system or steal sensitive information, or it could force admin to get redirected to a website controlled by the attacker.

How to fix CVE-2023-2859

To remediate CVE-2023-2859, upgrade the affected package to a fixed version below.

—upgrade to 3.0.9 or later

Is CVE-2023-2859 being exploited?

Moderate — EPSS is 8.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (1)

from 0, < 3.0.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-2859
PATCHgithub.com/nilsteampassnet/teampass
WEBgithub.com/nilsteampassnet/teampass/commit/1f51482a0c4d152ca876844212b0f8f3cb9387af
WEBhuntr.dev/bounties/d7b8ea75-c74a-4721-89bb-12e5c80fb0ba