CVE-2017-15053
 
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php.
Las versiones anteriores a la 2.1.27.9 de TeamPass no aplican correctamente el control de acceso de managers al solicitar roles.queries.php. Es posible para un usuario manager modificar o eliminar cualquier rol arbitrario en la aplicación.. Para explotar la vulnerabilidad, un atacante autenticado debe tener los derechos de manager de la aplicación y alterar las peticiones enviadas directamente, por ejemplo cambiando el parámetro "id" al invocar "delete_role" en roles.queries.php.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-10-06 CVE Reserved
- 2017-11-27 CVE Published
- 2024-08-05 CVE Updated
- 2024-08-05 First Exploit
- 2024-12-17 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-269: Improper Privilege Management
CAPEC
References (2)
URL | Tag | Source |
---|
URL | Date | SRC |
---|---|---|
http://blog.amossys.fr/teampass-multiple-cve-01.html | 2024-08-05 |
URL | Date | SRC |
---|---|---|
https://github.com/nilsteampassnet/TeamPass/commit/ef32e9c28b6ddc33cee8a25255bc8da54434af3e | 2019-10-03 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Teampass Search vendor "Teampass" | Teampass Search vendor "Teampass" for product "Teampass" | < 2.1.27.9 Search vendor "Teampass" for product "Teampass" and version " < 2.1.27.9" | - |
Affected
|