CVE-2024-33670 identifies an HTML injection vulnerability in the Passbolt API versions before 4.6.2. The vulnerability arises from insufficient sanitization of a URL parameter that allows an attacker to inject arbitrary HTML content into the rendered page. Although the injected content cannot execute JavaScript due to the presence of a strict Content Security Policy (CSP), the attacker can still manipulate the page's visual elements and user interface. This can lead to misleading content presentation, potentially tricking users into unintended actions or causing confusion. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation), a common web security weakness. Exploitation requires no authentication and can be performed remotely by enticing a user to visit a maliciously crafted URL. The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited impact on confidentiality and no impact on integrity or availability, with low attack complexity and no privileges required. No known exploits have been reported in the wild as of the publication date. The vulnerability affects all versions prior to 4.6.2, though specific affected versions are not enumerated. Remediation involves upgrading to Passbolt API version 4.6.2 or later, which addresses the input sanitization issue. Additional security controls such as enhanced input validation, output encoding, and CSP reinforcement can further mitigate risk.

The primary impact of CVE-2024-33670 is the potential for attackers to manipulate the visual presentation of the Passbolt API web interface by injecting arbitrary HTML content. This can degrade user trust, facilitate phishing attempts, or cause users to perform unintended actions based on misleading UI elements. Since JavaScript execution is blocked by CSP, the risk of more severe attacks like remote code execution or data theft is mitigated. However, the altered appearance can still be exploited for social engineering or UI redressing attacks. Organizations relying on Passbolt for secure password management may face reputational damage or reduced user confidence if this vulnerability is exploited. The vulnerability does not compromise data confidentiality or integrity directly, nor does it affect system availability. The ease of exploitation (no authentication, remote, low complexity) increases the likelihood of opportunistic attacks, especially in environments where users may be less security-aware. While no active exploitation is known, the vulnerability presents a moderate risk that should be addressed promptly to maintain the security posture of affected deployments.

1. Upgrade Passbolt API to version 4.6.2 or later immediately, as this version contains the fix for the HTML injection vulnerability. 2. Implement strict input validation and sanitization on all URL parameters to prevent injection of malicious HTML content. 3. Enforce and regularly review Content Security Policy (CSP) headers to ensure they effectively block script execution and limit the impact of injected content. 4. Educate users about the risks of clicking on unsolicited or suspicious URLs, especially those purporting to be from internal tools like Passbolt. 5. Conduct regular security assessments and penetration testing focused on injection vulnerabilities and UI manipulation risks. 6. Monitor web server and application logs for unusual URL patterns or access attempts that may indicate exploitation attempts. 7. Consider implementing additional security headers such as X-Content-Type-Options and X-Frame-Options to reduce attack surface. 8. If upgrading immediately is not feasible, apply temporary mitigations such as URL parameter filtering at the web application firewall (WAF) level to block suspicious inputs.