GHSA-2f46-4xjm-73x5: Passbolt API Stored XSS on first/last name during setup
An administrator can craft a user with a malicious first name and last name, using a payload such as
<svg onload="confirm(document.domain)">'); ?></svg>
The user will then receive the invitation email and click on the setup link. The setup start page served by the server will fire the XSS.
References
- github.com/FriendsOfPHP/security-advisories/blob/master/passbolt/passbolt_api/2019-08-07-1.yaml
- github.com/advisories/GHSA-2f46-4xjm-73x5
- github.com/passbolt/passbolt_api
- github.com/passbolt/passbolt_api/blob/master/CHANGELOG.md
- github.com/passbolt/passbolt_api/commit/6135b483f72c6853e6085e329f5f8d7be60c9933
- www.passbolt.com/incidents/20190807_multiple_vulnerabilities
Code Behaviors & Features
Detect and mitigate GHSA-2f46-4xjm-73x5 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →