CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16904
https://notcve.org/view.php?id=CVE-2019-16904
26 Sep 2019 — TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.) TeamPass versión 2.1.27.36, permite un ataque de tipo XSS mediante el establecimiento de una contraseña diseñada para un elemento en una carpeta y entonces compartir ese elemento con un administrador. (La contraseña diseñada es explotable cuando se visualiza el h... • https://github.com/nilsteampassnet/TeamPass/issues/2685 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2019-12950
https://notcve.org/view.php?id=CVE-2019-12950
06 Aug 2019 — An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload. Se detectó un problema en TeamPass versión 2.1.27.35. Desde la funcionalidad "Import items" del archivo sources/items.queries.php, es posible cargar un archivo CSV diseñado con una carga útil de tipo XSS. • https://github.com/nilsteampassnet/TeamPass/issues/2638 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1000001
https://notcve.org/view.php?id=CVE-2019-1000001
04 Feb 2019 — TeamPass version 2.1.27 and earlier contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via any vulnerability that can bypass authentication or role assignment and can lead to shared password leakage. TeamPass, en versiones 2.1.27 y anteriores, contiene una vulnerabilidad de almacenamiento de contraseñas en formato recuperable en los almacenes de contraseñas com... • https://github.com/nilsteampassnet/TeamPass/issues/2495 • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15051
https://notcve.org/view.php?id=CVE-2017-15051
27 Nov 2017 — Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an... • http://blog.amossys.fr/teampass-multiple-cve-01.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15055
https://notcve.org/view.php?id=CVE-2017-15055
27 Nov 2017 — TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary directory. To exploit the vulnerability, an authenti... • http://blog.amossys.fr/teampass-multiple-cve-01.html • CWE-269: Improper Privilege Management •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15053
https://notcve.org/view.php?id=CVE-2017-15053
27 Nov 2017 — TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php. Las versiones anteriores a la 2.1.27.... • http://blog.amossys.fr/teampass-multiple-cve-01.html • CWE-269: Improper Privilege Management •
CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15052
https://notcve.org/view.php?id=CVE-2017-15052
27 Nov 2017 — TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_user" on users.queries.php. Las versi... • http://blog.amossys.fr/teampass-multiple-cve-01.html • CWE-269: Improper Privilege Management •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2017-15054
https://notcve.org/view.php?id=CVE-2017-15054
27 Nov 2017 — An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file. From there, it can simply access the file to execute code on the server. Una vulnerabilidad de subida de archivos arbitrarios, presente e... • http://blog.amossys.fr/teampass-multiple-cve-01.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2017-15278
https://notcve.org/view.php?id=CVE-2017-15278
12 Oct 2017 — Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Se ha descubierto Cross-Site Scripting (XSS) en TeamPass en versiones anteriores a la 2.1.27.9. Esta vulnerabilidad existe por un filtrado insuficiente de datos (en /sources/folders.queries.php). • https://github.com/nilsteampassnet/TeamPass/blob/master/changelog.md • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 39EXPL: 0CVE-2017-9436
https://notcve.org/view.php?id=CVE-2017-9436
05 Jun 2017 — TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php. TeamPass anterior a versión 2.1.27.4, es vulnerable a una inyección SQL en el archivo users.queries.php. • https://github.com/nilsteampassnet/TeamPass/blob/master/changelog.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •