cbcvebase.
CVE-2023-1545
published 2023-03-21

CVE-2023-1545: SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

PriorityP261high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
8.35%
94.3th percentile
SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

Affected

3 ranges
VendorProductVersion rangeFixed in
nilsteampassnetnilsteampassnet_teampass>= unspecified < 3.0.0.233.0.0.23
nilsteampassnetteampass>= 0 < 3.0.0.223.0.0.22
teampassteampass< 3.0.0.233.0.0.23

Detection & IOCsextracted from sources · hover to see the quote

url/api/index.php/authorize
path/api/index.php/authorize
  • Detect POST requests to /api/index.php/authorize with Content-Type: application/json where the 'login' field contains single-quote characters or SQL keywords (UNION, SELECT, FROM).
  • Alert on API responses from /api/index.php/authorize that return a JWT token when the login value contains SQL injection payloads — the exploit decodes the JWT second segment to extract exfiltrated SQL query results.
  • Use the Google Dork 'intitle:"Teampass" + inurl:index.php?page=items' to identify exposed TeamPass instances for proactive asset discovery.
  • Flag any API request to TeamPass where the 'apikey' field is set to the literal string 'foo' and 'password' is 'h4ck3d', matching the exploit's hardcoded credential values.
  • Check for the string 'API usage is not allowed' in TeamPass API responses to confirm API feature status; absence of this string on /api/index.php/authorize indicates the attack surface is exposed.
  • ·The vulnerability is only exploitable when the TeamPass API feature is enabled. If the API is disabled, the endpoint returns 'API usage is not allowed' and the injection cannot proceed.
  • ·The exploit targets TeamPass versions up to and including 3.0.0.21 (NVD states prior to 3.0.0.23). The exploit header also lists '2.1.24 and prior', suggesting the vulnerable code path exists across multiple version branches.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv3.07.5HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.