Name of the Vulnerable Software and Affected Versions passbolt versions prior to 2.11

Description The issue allows an administrator to craft a user with a malicious first name and last name, using a payload such as <svg onload="confirm(document.domain)">'); ?></svg>. When the user receives the invitation email and clicks on the setup link, the setup start page served by the server will fire the XSS. This could be used to edit the setup start page for a given user, for example, tricking the user into installing another extension. Although the severity of this issue is high, the likelihood is low because the exploit will be visible to the user in the email notification and requires an action from a malicious administrator.

Recommendations For versions prior to 2.11, sanitize the firstname and lastname in the page that is used to trigger the extension setup process. Additionally, consider setting up Content Security Policy (CSP) in the web server configuration to prevent inline-scripts or 3rd party domain scripts on pages served by the passbolt API.