CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7563 – TeamPass 2.1.24 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7563
Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user. Vulnerabilidad (CSRF) en TeamPass 2.1.24 y versiones anteriores permite a atacantes remotos a secuestrar la autenticación de un usuario autenticado. • https://www.exploit-db.com/exploits/39559 https://github.com/nilsteampassnet/TeamPass/pull/1140 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2015-7564 – TeamPass 2.1.24 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-7564
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php. Múltiples vulnerabilidades de inyección SQL en TeamPass 2.1.24 y versiones anteriores permiten a atacantes remotos a ejecutar comandos arbitrarios SQL a través de (1) el parámetro id en una acción action_on_quick_icon a un item.query.php o (2) el orden o (3) el parámetro de dirección en un (a) connections_logs, (b) errors_logs o (c) acción access_logs en un view.query.php. • https://www.exploit-db.com/exploits/39559 https://github.com/nilsteampassnet/TeamPass/pull/1140 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 1CVE-2014-3771
https://notcve.org/view.php?id=CVE-2014-3771
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php. TeamPass anterior a 2.1.20 permite a atacantes remotos evadir las restricciones de acceso a través de la ruta del fichero de idiomas en (1) una solicitud en index.php o (2) una solicitud 'change_user_language' en sources/main.queries.php. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 1CVE-2014-3772
https://notcve.org/view.php?id=CVE-2014-3772
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php. TeamPass anterior a 2.1.20 permite a atacantes remotos evadir las restricciones de acceso a través de una solicitud en index.php seguida por una solicitud directa en un fichero que llama la función session_start antes de comprobar la clave CPM, tal y como fue demostrado por una solicitud en sources/upload/upload.files.php. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 2CVE-2014-3773
https://notcve.org/view.php?id=CVE-2014-3773
Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/. Múltiples vulnerabilidades de inyección SQL en TeamPass anterior a 2.1.20 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro login en una acción (1) send_pw_by_email o (2) generate_new_password en sources/main.queries.php; el parámetro iDisplayStart en (3) datatable.logs.php o (4) un fichero en source/datatable/; o el parámetro iDisplayLength en (5) datatable.logs.php o (6) un fichero en source/datatable/; o permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un parámetro sSortDir_ en (7) datatable.logs.php o (8) un fichero en source/datatable/. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •