CVSS: 5.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2021 – Cross-site Scripting (XSS) - Stored in nilsteampassnet/teampass
https://notcve.org/view.php?id=CVE-2023-2021
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3. • https://github.com/nilsteampassnet/teampass/commit/77c541a0151841d1f4ceb0a84ca391e1b526d58d https://huntr.dev/bounties/2e31082d-7aeb-46ff-84d6-9561758e3bf0 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1545 – SQL Injection in nilsteampassnet/teampass
https://notcve.org/view.php?id=CVE-2023-1545
SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. • https://github.com/nilsteampassnet/teampass/commit/4780252fdb600ef2ec2758f17a37d738570cbe66 https://huntr.dev/bounties/942c015f-7486-49b1-94ae-b1538d812bc2 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1463 – Authorization Bypass Through User-Controlled Key in nilsteampassnet/teampass
https://notcve.org/view.php?id=CVE-2023-1463
Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. • https://github.com/nilsteampassnet/teampass/commit/4e06fbaf2b78c3615d0599855a72ba7e31157516 https://huntr.dev/bounties/f6683c3b-a0f2-4615-b639-1920c8ae12e6 • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-1070 – External Control of File Name or Path in nilsteampassnet/teampass
https://notcve.org/view.php?id=CVE-2023-1070
External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22. • https://github.com/nilsteampassnet/teampass/commit/0af3574caba27a61b16dc25c94fa51ae12d2d967 https://huntr.dev/bounties/318bfdc4-7782-4979-956f-9ba2cc44889c • CWE-73: External Control of File Name or Path •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2020-11671
https://notcve.org/view.php?id=CVE-2020-11671
Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default. La falta de controles de autorización en las funciones de la API REST en TeamPass versiones hasta 2.1.27.36, permite a cualquier usuario de TeamPass con un token de API válido convertirse en administrador de TeamPass y leer y modificar todas las contraseñas mediante llamadas autenticadas a la API REST del archivo api/index.php. NOTA: la API no está disponible de manera predeterminada. • https://github.com/nilsteampassnet/TeamPass/issues/2765 • CWE-862: Missing Authorization •