CVE-2023-3009: 
PHP vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability was discovered in the GitHub repository nilsteampassnet/teampass versions prior to 3.0.9. The vulnerability was disclosed on May 31, 2023, and was assigned CVE-2023-3009 (NVD, CVE).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. However, huntr.dev assessed it with a higher CVSS v3.0 base score of 8.1 (High) with vector string CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) (NVD).

The stored XSS vulnerability could allow attackers to execute malicious scripts in the context of other users' browsers, potentially leading to the theft of sensitive information, session hijacking, or other malicious actions (NVD).

The vulnerability has been patched in TeamPass version 3.0.9. Users should upgrade to this version or later to mitigate the risk. The fix includes improved input sanitization using DOMPurify and additional security checks for form fields (GitHub Patch).