Summary
Detail | |||
---|---|---|---|
Vendor | Teampass | First view | 2012-04-21 |
Product | Teampass | Last view | 2023-07-10 |
Version | 2.1.5 | Type | Application |
Update | * | ||
Edition | * | ||
Language | * | ||
Sofware Edition | * | ||
Target Software | * | ||
Target Hardware | * | ||
Other | * | ||
CPE Product | cpe:2.3:a:teampass:teampass |
Activity : Overall
Related : CVE
Date | Alert | Description | |
---|---|---|---|
5.4 | 2023-07-10 | CVE-2023-3565 | Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10. |
7.5 | 2023-07-08 | CVE-2023-3553 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10. |
5.4 | 2023-07-08 | CVE-2023-3552 | Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10. |
7.2 | 2023-07-08 | CVE-2023-3551 | Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10. |
5.4 | 2023-07-06 | CVE-2023-3531 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10. |
5.4 | 2023-06-10 | CVE-2023-3191 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
4.6 | 2023-06-10 | CVE-2023-3190 | Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
6.5 | 2023-06-04 | CVE-2023-3095 | Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
9 | 2023-06-03 | CVE-2023-3086 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
8.1 | 2023-06-03 | CVE-2023-3084 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
8.7 | 2023-06-03 | CVE-2023-3083 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
5.4 | 2023-05-31 | CVE-2023-3009 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
8.8 | 2023-05-24 | CVE-2023-2859 | Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9. |
5.4 | 2023-05-09 | CVE-2023-2591 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7. |
5.4 | 2023-05-05 | CVE-2023-2516 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7. |
5.4 | 2023-04-13 | CVE-2023-2021 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3. |
7.5 | 2023-03-21 | CVE-2023-1545 | SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. |
5.4 | 2023-03-17 | CVE-2023-1463 | Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. |
7.1 | 2023-02-27 | CVE-2023-1070 | External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22. |
8.1 | 2020-05-04 | CVE-2020-11671 | Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default. |
9.8 | 2019-02-04 | CVE-2019-1000001 | TeamPass version 2.1.27 and earlier contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via any vulnerability that can bypass authentication or role assignment and can lead to shared password leakage. |
8.1 | 2017-11-27 | CVE-2017-15055 | TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory. To exploit the vulnerability, an authenticated attacker must tamper with the requests sent directly, for example by changing the "item_id" parameter when invoking "copy_item" on items.queries.php. |
7.5 | 2017-11-27 | CVE-2017-15054 | An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file. From there, it can simply access the file to execute code on the server. |
4.9 | 2017-11-27 | CVE-2017-15053 | TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php. |
4.9 | 2017-11-27 | CVE-2017-15052 | TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_user" on users.queries.php. |
CWE : Common Weakness Enumeration
% | id | Name |
---|---|---|
29% (5) | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') |
17% (3) | CWE-269 | Improper Privilege Management |
17% (3) | CWE-89 | Improper Sanitization of Special Elements used in an SQL Command ('... |
11% (2) | CWE-264 | Permissions, Privileges, and Access Controls |
5% (1) | CWE-522 | Insufficiently Protected Credentials |
5% (1) | CWE-434 | Unrestricted Upload of File with Dangerous Type |
5% (1) | CWE-352 | Cross-Site Request Forgery (CSRF) |
5% (1) | CWE-116 | Improper Encoding or Escaping of Output |