Home > Vulnerability Database > WS-2020-0200

Mend.io Vulnerability Database

WS-2020-0200

Good to know:

Date: November 2, 2020

An e-mail HTML injection vulnerability was found in Passbolt before v2.7.0. Passbolt sends an e-mail to users to warn them about different types of events such as the creation, modification, or deletion of a password. Those e-mails may contain user-specified input, such as a password's title or description. Passbolt does not escape the user's input properly, resulting in the user being able to inject HTML code in an e-mail. An authenticated attacker could share a password containing an img HTML tag in its description with another user to obtain information about their mail user-agent. This vulnerability has a very low impact. Most MUA does not embed remote images to protect their users' privacy.

Language: PHP

Severity Score

6.1

Related Resources (2)

Url: https://github.com/passbolt/passbolt_api/commit/00f0ebe37d78815adee26d5e80cf2250fe878647

Url: https://www.mend.io/vulnerability-database/WS-2020-0200

Severity Score

6.1

Weakness Type (CWE)

Code

CWE-17

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-74

Top Fix

Upgrade Version

Upgrade to version passbolt/passbolt_api - v2.2.0;passbolt/passbolt_api - v2.7.0;passbolt/passbolt_api - dev-dependabot/composer/phpseclib/phpseclib-2.0.31;passbolt/passbolt_api - dev-dependabot/npm_and_yarn/node-fetch-2.6.1;passbolt/passbolt_api - v2.5.0

Learn More

CVSS v3.1

Base Score:	6.1
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2020-0200

Good to know:

Date: November 2, 2020

Language: PHP

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?