CVE-2024-39926

Name of the Vulnerable Software and Affected Versions Vaultwarden (formerly Bitwarden RS) version 1.30.3

Description A stored cross-site scripting (XSS) or HTML injection issue has been discovered in the admin dashboard. This potentially allows an authenticated attacker to inject malicious code into the dashboard, which is then executed or rendered in the context of an administrator's browser when viewing the injected content. The default Content Security Policy (CSP) of the application blocks most exploitation paths, significantly mitigating the potential impact.

Recommendations For version 1.30.3, consider disabling access to the admin dashboard until a patch is available to prevent potential exploitation. Restrict the use of the vulnerable component in the admin dashboard to minimize the risk of malicious code injection.