Page 6 of 34 results (0.011 seconds)

CVSS: 4.9EPSS: 0%CPEs: 1EXPL: 1

TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php. Las versiones anteriores a la 2.1.27.9 de TeamPass no aplican correctamente el control de acceso de managers al solicitar roles.queries.php. Es posible para un usuario manager modificar o eliminar cualquier rol arbitrario en la aplicación.. • http://blog.amossys.fr/teampass-multiple-cve-01.html https://github.com/nilsteampassnet/TeamPass/commit/ef32e9c28b6ddc33cee8a25255bc8da54434af3e • CWE-269: Improper Privilege Management •

CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0

Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. Se ha descubierto Cross-Site Scripting (XSS) en TeamPass en versiones anteriores a la 2.1.27.9. Esta vulnerabilidad existe por un filtrado insuficiente de datos (en /sources/folders.queries.php). • https://github.com/nilsteampassnet/TeamPass/blob/master/changelog.md https://github.com/nilsteampassnet/TeamPass/commit/f5a765381f051fe624386866ddb1f6b5e7eb929b https://github.com/nilsteampassnet/TeamPass/releases/tag/2.1.27.9 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •

CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1

Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php. Múltiples vulnerabilidades de inyección SQL en TeamPass 2.1.24 y versiones anteriores permiten a atacantes remotos a ejecutar comandos arbitrarios SQL a través de (1) el parámetro id en una acción action_on_quick_icon a un item.query.php o (2) el orden o (3) el parámetro de dirección en un (a) connections_logs, (b) errors_logs o (c) acción access_logs en un view.query.php. • https://www.exploit-db.com/exploits/39559 https://github.com/nilsteampassnet/TeamPass/pull/1140 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •

CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1

Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user. Vulnerabilidad (CSRF) en TeamPass 2.1.24 y versiones anteriores permite a atacantes remotos a secuestrar la autenticación de un usuario autenticado. • https://www.exploit-db.com/exploits/39559 https://github.com/nilsteampassnet/TeamPass/pull/1140 • CWE-352: Cross-Site Request Forgery (CSRF) •

CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1

Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role. Múltiples vulnerabilidades (XSS) en TeamPass 2.1.24 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTLM a través del (1) valor de etiqueta o (2) nombre de una función. • https://www.exploit-db.com/exploits/39559 https://github.com/nilsteampassnet/TeamPass/pull/1140 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •