CVSS: 7.5EPSS: 0%CPEs: 13EXPL: 2CVE-2014-3773
https://notcve.org/view.php?id=CVE-2014-3773
Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3) datatable.logs.php or (4) a file in source/datatable/; or iDisplayLength parameter to (5) datatable.logs.php or (6) a file in source/datatable/; or allow remote authenticated users to execute arbitrary SQL commands via a sSortDir_ parameter to (7) datatable.logs.php or (8) a file in source/datatable/. Múltiples vulnerabilidades de inyección SQL en TeamPass anterior a 2.1.20 permiten a atacantes remotos ejecutar comandos SQL arbitrarios a través del parámetro login en una acción (1) send_pw_by_email o (2) generate_new_password en sources/main.queries.php; el parámetro iDisplayStart en (3) datatable.logs.php o (4) un fichero en source/datatable/; o el parámetro iDisplayLength en (5) datatable.logs.php o (6) un fichero en source/datatable/; o permiten a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a través de un parámetro sSortDir_ en (7) datatable.logs.php o (8) un fichero en source/datatable/. • http://teampass.net/installation/2.1.20-released.html http://www.openwall.com/lists/oss-security/2014/05/18/2 http://www.openwall.com/lists/oss-security/2014/05/19/5 https://github.com/nilsteampassnet/TeamPass/commit/7715512f2bd5659cc69e063a1c513c19e384340f https://github.com/nilsteampassnet/TeamPass/commit/8820c8934d9ba0508ac345e73ad0be29049ec6de • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.3EPSS: 0%CPEs: 6EXPL: 1CVE-2012-2234 – TeamPass 2.1.5 - 'login' HTML Injection
https://notcve.org/view.php?id=CVE-2012-2234
Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action. Una vulnerabilidad de ejecución de comandos en sitios cruzados (XSS) en users.queries.php en ETeamPass antes de v2.1.6 permite a atacantes remotos inyectar secuencias de comandos web o HTML a través del parámetro 'login' (inicio de sesión). ETeamPass version 2.1.5 suffers from a persistent cross site scripting vulnerability in users.queries.php. • https://www.exploit-db.com/exploits/37087 http://osvdb.org/81197 http://packetstormsecurity.org/files/111905 http://www.securityfocus.com/bid/53038 https://exchange.xforce.ibmcloud.com/vulnerabilities/74910 https://github.com/nilsteampassnet/TeamPass/blob/master/readme.txt • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •