CVE-2024-33670: Passbolt API allows HTML injection

April 26, 2024

Passbolt API before 4.6.2 allows HTML injection in a URL parameter, resulting in custom content being displayed when a user visits the crafted URL. Although the injected content is not executed as JavaScript due to Content Security Policy (CSP) restrictions, it may still impact the appearance and user interaction of the page.

References

github.com/advisories/GHSA-2pg6-vw9c-qhjv
github.com/passbolt/passbolt_api/commit/5c537849040990086dcd5013b5bb009e1dad3fb6
help.passbolt.com/incidents/reflective-html-injection-vulnerability
nvd.nist.gov/vuln/detail/CVE-2024-33670

Detect and mitigate CVE-2024-33670 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →