CVE-2018-14776

Vulnerability

Passwordstate versions prior to 8.3 Build 8397 are vulnerable to stored cross-site scripting (XSS) through the upload of HTML documents. An authenticated user can upload a crafted HTML file containing malicious JavaScript. The vulnerability exists in the document upload functionality.

Exploitation

An authenticated user with permission to upload documents can upload an HTML file containing embedded JavaScript. When other users view the uploaded document, the script executes in their browser session. The attacker does not require any special privileges beyond standard user access to the upload feature.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's session. This can lead to session hijacking, credential theft, or other actions performed on behalf of the victim. The XSS is stored, meaning it persists on the server and affects all subsequent viewers.

Mitigation

The vulnerability is fixed in Passwordstate version 8.3 Build 8397, as indicated in the vendor's changelog [2]. Users should upgrade to this version or later. No workarounds are documented; upgrading is the recommended action.