CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7562 – TeamPass 2.1.24 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7562
Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role. Múltiples vulnerabilidades (XSS) en TeamPass 2.1.24 y anteriores permiten a atacantes remotos inyectar secuencias de comandos web o HTLM a través del (1) valor de etiqueta o (2) nombre de una función. • https://www.exploit-db.com/exploits/39559 https://github.com/nilsteampassnet/TeamPass/pull/1140 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 1%CPEs: 13EXPL: 1CVE-2014-3772
https://notcve.org/view.php?id=CVE-2014-3772
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php. TeamPass anterior a 2.1.20 permite a atacantes remotos evadir las restricciones de acceso a través de una solicitud en index.php seguida por una solicitud directa en un fichero que llama la función session_start antes de comprobar la clave CPM, tal y como fue demostrado por una solicitud en sources/upload/upload.files.php. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 1%CPEs: 13EXPL: 1CVE-2014-3771
https://notcve.org/view.php?id=CVE-2014-3771
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php. TeamPass anterior a 2.1.20 permite a atacantes remotos evadir las restricciones de acceso a través de la ruta del fichero de idiomas en (1) una solicitud en index.php o (2) una solicitud 'change_user_language' en sources/main.queries.php. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 4.3EPSS: 0%CPEs: 13EXPL: 2CVE-2014-3774
https://notcve.org/view.php?id=CVE-2014-3774
Multiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter, which is not properly handled in the open_id form element. Múltiples vulnerabilidades de XSS en items.php en TeamPass anterior a 2.1.20 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro group, el cual no se maneja debidamente en un elemento de formulario (1) hid_cat o (2) open_folder o (3) el parámetro id, el cual no se maneja debidamente en el elemento de formulario open_id. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 2CVE-2014-3773
https://notcve.org/view.php?id=CVE-2014-3773
Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/. Múltiples vulnerabilidades de inyección SQL en TeamPass anterior a 2.1.20 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro login en una acción (1) send_pw_by_email o (2) generate_new_password en sources/main.queries.php; el parámetro iDisplayStart en (3) datatable.logs.php o (4) un fichero en source/datatable/; o el parámetro iDisplayLength en (5) datatable.logs.php o (6) un fichero en source/datatable/; o permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un parámetro sSortDir_ en (7) datatable.logs.php o (8) un fichero en source/datatable/. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •