Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

WS-2019-0494

Good to know:

icon

Date: August 7, 2019

Stored XSS on first/last name during setup was found in Passbolt before v2.11.0. An administrator can craft a user with a malicious first name and last name, using a payload such as The user will then receive the invitation email and click on the setup link. The setup's start page served by the server will fire the XSS. An administrator could use this exploit to edit the setup start page for a given user, for example, trick the user into installing another extension. Even though the severity of this issue in itself is high, the likelihood is low because the exploit will be visible in clear by the user in the email notification, and also requires action from a malicious administrator.

Language: PHP

Severity Score

Related Resources (2)

https://github.com/passbolt/passbolt_api/commit/6135b483f72c6853e6085e329f5f8d7be60c9933
https://www.mend.io/vulnerability-database/WS-2019-0494

Severity Score

Weakness Type (CWE)

Cross-Site Scripting (XSS)

CWE-79

Top Fix

icon

Upgrade Version

Upgrade to version v2.11.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): NONE
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): LOW
Integrity (I): LOW
Availability (A): NONE

Do you need more information?

Contact Us