CVE-2015-7564
published 2017-04-12CVE-2015-7564: Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.39%
87.3th percentile
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nilsteampassnet | teampass | >= 0 < 2.1.25 | 2.1.25 |
| teampass | teampass | <= 2.1.24 | — |
Detection & IOCsextracted from sources · hover to see the quote
commandtype=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1↗
commandtype=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC↗
commandtype=errors_logs&order=date&direction=, (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))↗
- →Monitor POST requests to item.query.php where the 'type' parameter equals 'action_on_quick_icon' and the 'id' parameter contains SQL subquery patterns such as SELECT/CASE/WHEN constructs. ↗
- →Monitor POST requests to view.query.php where 'type' is connections_logs, errors_logs, or access_logs and the 'order' or 'direction' parameters contain SQL injection payloads; note that 'direction' exploits require a leading ', ' prefix. ↗
- →Use the Google dork to identify exposed TeamPass instances that may be targeted: intitle:"Teampass" + inurl:index.php?page=items ↗
- →Detect time-based blind SQL injection attempts via SLEEP() calls in POST body parameters to view.query.php (e.g., SLEEP(5) in the 'order' parameter). ↗
- ·The SQL injection vulnerabilities affect TeamPass 2.1.24 and earlier; version 2.1.25 contains the fixes. Ensure the deployed version is 2.1.25 or later. ↗
- ·The vulnerabilities are remotely exploitable without authentication constraints noted, making internet-exposed TeamPass instances at high risk. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
TeamPass vulnerable to SQL Injection
osv·2022-05-17
CVE-2015-7564 [CRITICAL] TeamPass vulnerable to SQL Injection
TeamPass vulnerable to SQL Injection
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php.
GHSA
TeamPass vulnerable to SQL Injection
ghsa·2022-05-17
CVE-2015-7564 [CRITICAL] CWE-89 TeamPass vulnerable to SQL Injection
TeamPass vulnerable to SQL Injection
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php.
No detection rules found.
No writeups or analysis indexed.
2017-04-12
Published