Filtered by vendor Teampass
Subscribe
Search
Total
10 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2019-17203 | 1 Teampass | 1 Teampass | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder. | |||||
| CVE-2019-17204 | 1 Teampass | 1 Teampass | 2019-10-08 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item. | |||||
| CVE-2019-17205 | 1 Teampass | 1 Teampass | 2019-10-08 | 4.3 MEDIUM | 6.1 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed. | |||||
| CVE-2017-15052 | 1 Teampass | 1 Teampass | 2019-10-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_user" on users.queries.php. | |||||
| CVE-2017-15053 | 1 Teampass | 1 Teampass | 2019-10-03 | 4.0 MEDIUM | 4.9 MEDIUM |
| TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for example by changing the "id" parameter when invoking "delete_role" on roles.queries.php. | |||||
| CVE-2019-16904 | 1 Teampass | 1 Teampass | 2019-09-27 | 3.5 LOW | 5.4 MEDIUM |
| TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.) | |||||
| CVE-2019-12950 | 1 Teampass | 1 Teampass | 2019-08-14 | 3.5 LOW | 5.4 MEDIUM |
| An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload. | |||||
| CVE-2017-15051 | 1 Teampass | 1 Teampass | 2017-12-07 | 3.5 LOW | 5.4 MEDIUM |
| Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to simply inject XSS code within the URL field of a shared item. For the second one however, the attacker must prepare a payload within its profile, and then ask an administrator to modify its profile. From there, whenever the administrator accesses the log, it can be XSS'ed. | |||||
| CVE-2017-15278 | 1 Teampass | 1 Teampass | 2017-10-26 | 3.5 LOW | 5.4 MEDIUM |
| Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website. | |||||
| CVE-2015-7562 | 1 Teampass | 1 Teampass | 2017-04-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role. | |||||