Total
45 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-15051 | 1 Teampass | 1 Teampass | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed. | |||||
| CVE-2017-9436 | 1 Teampass | 1 Teampass | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php. | |||||
| CVE-2015-7562 | 1 Teampass | 1 Teampass | 2025-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role. | |||||
| CVE-2017-15053 | 1 Teampass | 1 Teampass | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php. | |||||
| CVE-2017-15054 | 1 Teampass | 1 Teampass | 2025-04-20 | 6.5 MEDIUM | 7.5 HIGH |
| An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file. From there, it can simply access the file to execute code on the server. | |||||
| CVE-2017-15052 | 1 Teampass | 1 Teampass | 2025-04-20 | 4.0 MEDIUM | 4.9 MEDIUM |
| TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_user" on users.queries.php. | |||||
| CVE-2017-15278 | 1 Teampass | 1 Teampass | 2025-04-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2015-7563 | 1 Teampass | 1 Teampass | 2025-04-20 | 6.8 MEDIUM | 8.8 HIGH |
| Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user. | |||||
| CVE-2017-15055 | 1 Teampass | 1 Teampass | 2025-04-20 | 6.5 MEDIUM | 8.1 HIGH |
| TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory. To exploit the vulnerability, an authenticated attacker must tamper with the requests sent directly, for example by changing the "item_id" parameter when invoking "copy_item" on items.queries.php. | |||||
| CVE-2015-7564 | 1 Teampass | 1 Teampass | 2025-04-20 | 7.5 HIGH | 9.8 CRITICAL |
| Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php. | |||||
| CVE-2014-3774 | 1 Teampass | 1 Teampass | 2025-04-12 | 4.3 MEDIUM | N/A |
| Multiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter, which is not properly handled in the open_id form element. | |||||
| CVE-2014-3773 | 1 Teampass | 1 Teampass | 2025-04-12 | 7.5 HIGH | N/A |
| Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/. | |||||
| CVE-2014-3772 | 1 Teampass | 1 Teampass | 2025-04-12 | 7.5 HIGH | N/A |
| TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php. | |||||
| CVE-2014-3771 | 1 Teampass | 1 Teampass | 2025-04-12 | 7.5 HIGH | N/A |
| TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php. | |||||
| CVE-2012-2234 | 1 Teampass | 1 Teampass | 2025-04-11 | 4.3 MEDIUM | N/A |
| Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action. | |||||
| CVE-2023-3565 | 1 Teampass | 1 Teampass | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||||
| CVE-2023-3553 | 1 Teampass | 1 Teampass | 2024-11-21 | N/A | 7.5 HIGH |
| Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||||
| CVE-2023-3552 | 1 Teampass | 1 Teampass | 2024-11-21 | N/A | 5.4 MEDIUM |
| Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||||
| CVE-2023-3551 | 1 Teampass | 1 Teampass | 2024-11-21 | N/A | 7.2 HIGH |
| Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||||
| CVE-2023-3531 | 1 Teampass | 1 Teampass | 2024-11-21 | N/A | 5.4 MEDIUM |
| Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||||