CVE-2014-3773
https://notcve.org/view.php?id=CVE-2014-3773
Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/. Múltiples vulnerabilidades de inyección SQL en TeamPass anterior a 2.1.20 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro login en una acción (1) send_pw_by_email o (2) generate_new_password en sources/main.queries.php; el parámetro iDisplayStart en (3) datatable.logs.php o (4) un fichero en source/datatable/; o el parámetro iDisplayLength en (5) datatable.logs.php o (6) un fichero en source/datatable/; o permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un parámetro sSortDir_ en (7) datatable.logs.php o (8) un fichero en source/datatable/. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVE-2014-3772
https://notcve.org/view.php?id=CVE-2014-3772
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php. TeamPass anterior a 2.1.20 permite a atacantes remotos evadir las restricciones de acceso a través de una solicitud en index.php seguida por una solicitud directa en un fichero que llama la función session_start antes de comprobar la clave CPM, tal y como fue demostrado por una solicitud en sources/upload/upload.files.php. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2014-3774
https://notcve.org/view.php?id=CVE-2014-3774
Multiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter, which is not properly handled in the open_id form element. Múltiples vulnerabilidades de XSS en items.php en TeamPass anterior a 2.1.20 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través del parámetro group, el cual no se maneja debidamente en un elemento de formulario (1) hid_cat o (2) open_folder o (3) el parámetro id, el cual no se maneja debidamente en el elemento de formulario open_id. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2014-3771
https://notcve.org/view.php?id=CVE-2014-3771
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php. TeamPass anterior a 2.1.20 permite a atacantes remotos evadir las restricciones de acceso a través de la ruta del fichero de idiomas en (1) una solicitud en index.php o (2) una solicitud 'change_user_language' en sources/main.queries.php. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/fd549b245c0f639a8d47bf4f74f92c37c053706f • CWE-264: Permissions, Privileges, and Access Controls •
CVE-2012-2234 – TeamPass 2.1.5 - 'login' HTML Injection
https://notcve.org/view.php?id=CVE-2012-2234
Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en users.queries.php en ETeamPass antes de v2.1.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'login' (inicio de sesión). ETeamPass version 2.1.5 suffers from a persistent cross site scripting vulnerability in users.queries.php. • https://www.exploit-db.com/exploits/37087 http://osvdb.org/81197 http://packetstormsecurity.org/files/111905 http://www.securityfocus.com/bid/53038 https://exchange.xforce.ibmcloud.com/vulnerabilities/74910 https://github.com/nilsteampassnet/TeamPass/blob/master/readme.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •