CVE-2024-33670
Description
Passbolt API before 4.6.2 allows reflective HTML injection via a URL parameter, affecting page appearance and interaction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Passbolt API before 4.6.2 allows reflective HTML injection via a URL parameter, affecting page appearance and interaction.
Vulnerability
Description Passbolt API versions prior to 4.6.2 contain an HTML injection vulnerability in error page handling. When an invalid request triggers an error, the error message is directly assigned to the page title without sanitization. This allows an attacker to inject arbitrary HTML into the error page by crafting a malicious URL parameter [1][2].
Exploitation
An attacker can craft a URL that includes malicious HTML in a parameter that results in an error. When a victim visits this URL, the injected HTML is rendered by the browser. Although Content Security Policy (CSP) prevents JavaScript execution, the injected content can alter the page's appearance and potentially lead to phishing attacks by displaying misleading information [1].
Impact
The practical impact is limited by CSP, but the vulnerability can be used to deface the error page or trick users into believing they are seeing legitimate content. This could aid in social engineering attacks, such as displaying fake login forms or warnings that prompt user action [1].
Mitigation
The vulnerability is patched in Passbolt API version 4.6.2. The fix ensures that error messages are not directly used as the page title but instead display a generic 'Error' heading [2]. Users should upgrade to the latest version to eliminate the risk.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
passbolt/passbolt_apiPackagist | < 4.6.2 | 4.6.2 |
Affected products
2- Passbolt/Passbolt APIdescription
Patches
15c5378490409PB-32932 Fix reflective HTML injection vulnerability
3 files changed · +75 −3
templates/Error/error400.php+6 −2 modified@@ -1,9 +1,13 @@ <?php +/** + * @var \App\View\AppView $this + * @var string $message + */ use Cake\Core\Configure; use Cake\Error\Debugger; $this->layout = 'error'; -$this->assign('title', $message); +$this->assign('title', __('Error')); $this->assign('pageClass', 'error-404'); ?> <div class="grid"> @@ -31,5 +35,5 @@ <?= $this->element('auto_table_warning') ?> <?php if (extension_loaded('xdebug')): xdebug_print_function_stack(); endif; ?> </div> -<?php endif;?> +<?php endif; ?> </div>
templates/Error/error500.php+5 −1 modified@@ -1,10 +1,14 @@ <?php +/** + * @var \App\View\AppView $this + * @var string $message + */ use Cake\Core\Configure; use Cake\Error\Debugger; $this->layout = 'error'; $this->assign('pageClass', 'error-500'); -$this->assign('title', $message); +$this->assign('title', __('Error')); ?> <div class="grid"> <div class="row">
tests/TestCase/Controller/ErrorControllerTest.php+64 −0 added@@ -0,0 +1,64 @@ +<?php +declare(strict_types=1); + +/** + * Passbolt ~ Open source password manager for teams + * Copyright (c) Passbolt SA (https://www.passbolt.com) + * + * Licensed under GNU Affero General Public License version 3 of the or any later version. + * For full copyright and license information, please see the LICENSE.txt + * Redistributions of files must retain the above copyright notice. + * + * @copyright Copyright (c) Passbolt SA (https://www.passbolt.com) + * @license https://opensource.org/licenses/AGPL-3.0 AGPL License + * @link https://www.passbolt.com Passbolt(tm) + * @since 4.7.0 + */ +namespace App\Test\TestCase\Controller; + +use App\Test\Lib\AppIntegrationTestCase; +use Cake\Core\Configure; + +/** + * @covers \App\Controller\ErrorController + */ +class ErrorControllerTest extends AppIntegrationTestCase +{ + public function testErrorController_HTML_404(): void + { + Configure::write('debug', false); + + $this->get('/a-route-that-is-not-found'); + + $resultHtml = $this->_getBodyAsString(); + $this->assertResponseError(); + $this->assertResponseCode(404); + $this->assertTextContains('<title>Passbolt | Error</title>', $resultHtml); + $this->assertTextContains('<h2>Not Found</h2>', $resultHtml); + $this->assertTextContains('The requested address was not found on this server.', $resultHtml); + } + + public function testErrorController_HTML_400_TitleAndErrorMessagePurified(): void + { + $this->get('/users/?sort=1</title></br></br><h1>Defaced</h1>'); + + $this->assertResponseError(); + $this->assertResponseCode(400); + $resultHtml = $this->_getBodyAsString(); + $this->assertTextContains('<title>Passbolt | Error</title>', $resultHtml); + $expectedFilteredMsg = 'Invalid order. ' . h('"1</title></br></br><h1>Defaced</h1>"') . ' is not in the list of allowed order'; + $this->assertTextContains($expectedFilteredMsg, $resultHtml); + } + + public function testErrorController_HTML_500(): void + { + Configure::write('passbolt.healthcheck.error', true); + + $this->get('/healthcheck/error'); + + $this->assertResponseCode(500); + $resultHtml = $this->_getBodyAsString(); + $this->assertTextContains('<title>Passbolt | Error</title>', $resultHtml); + $this->assertTextContains('<h2>An Internal Error Has Occurred</h2>', $resultHtml); + } +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-2pg6-vw9c-qhjvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-33670ghsaADVISORY
- github.com/passbolt/passbolt_api/commit/5c537849040990086dcd5013b5bb009e1dad3fb6ghsaWEB
- help.passbolt.com/incidents/reflective-html-injection-vulnerabilityghsaWEB
- www.passbolt.com/incidentsmitre
- www.passbolt.com/security/moremitre
News mentions
0No linked articles in our index yet.