CVE-2023-3086: 
PHP vulnerability analysis and mitigation

A stored Cross-site Scripting (XSS) vulnerability was discovered in GitHub repository nilsteampassnet/teampass versions prior to 3.0.9. The vulnerability was identified and disclosed on June 3, 2023, affecting the TeamPass password manager application (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 9.0 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H. The issue was identified as CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). The vulnerability existed in the user profile form where input validation and sanitization were insufficient (NVD, GitHub Patch).

The vulnerability allows attackers to execute arbitrary JavaScript code in the context of other users' browsers who view the stored malicious content. This could lead to session hijacking, credential theft, and other client-side attacks due to the high confidentiality, integrity, and availability impact ratings (NVD).

The vulnerability has been patched in TeamPass version 3.0.9. The fix includes improved input sanitization using DOMPurify and additional XSS protection measures in the user profile form. Users should upgrade to version 3.0.9 or later to protect against this vulnerability (GitHub Patch).