cbcvebase.
CVE-2015-7564
published 2017-04-12

CVE-2015-7564: Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.39%
87.3th percentile
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
nilsteampassnetteampass>= 0 < 2.1.252.1.25
teampassteampass<= 2.1.24

Detection & IOCsextracted from sources · hover to see the quote

pathitem.query.php
pathview.query.php
commandtype=action_on_quick_icon&id=(SELECT (CASE WHEN (6144=6144) THEN 6144 ELSE 6144*(SELECT 6144 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&action=1
commandtype=connections_logs&order=(SELECT (CASE WHEN (6688=6688) THEN 6688 ELSE 6688*(SELECT 6688 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&direction=DESC
commandtype=connections_logs&order=date AND (SELECT * FROM (SELECT(SLEEP(5)))vhPw)&direction=DESC
commandtype=errors_logs&order=date&direction=, (SELECT (CASE WHEN (1739=1739) THEN 1739 ELSE 1739*(SELECT 1739 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))
  • Monitor POST requests to item.query.php where the 'type' parameter equals 'action_on_quick_icon' and the 'id' parameter contains SQL subquery patterns such as SELECT/CASE/WHEN constructs.
  • Monitor POST requests to view.query.php where 'type' is connections_logs, errors_logs, or access_logs and the 'order' or 'direction' parameters contain SQL injection payloads; note that 'direction' exploits require a leading ', ' prefix.
  • Use the Google dork to identify exposed TeamPass instances that may be targeted: intitle:"Teampass" + inurl:index.php?page=items
  • Detect time-based blind SQL injection attempts via SLEEP() calls in POST body parameters to view.query.php (e.g., SLEEP(5) in the 'order' parameter).
  • ·The SQL injection vulnerabilities affect TeamPass 2.1.24 and earlier; version 2.1.25 contains the fixes. Ensure the deployed version is 2.1.25 or later.
  • ·The vulnerabilities are remotely exploitable without authentication constraints noted, making internet-exposed TeamPass instances at high risk.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.