Nilsteampassnet Teampass vulnerabilities
41 known vulnerabilities affecting nilsteampassnet/teampass.
Total CVEs
41
CISA KEV
0
Public exploits
3
Exploited in wild
0
Severity breakdown
CRITICAL6HIGH14MEDIUM21
Vulnerabilities
Page 2 of 3
CVE-2017-15053P4MEDIUM≥ 0, < 2.1.27.92022-05-13
CVE-2017-15053 [MEDIUM] CWE-269 TeamPass Improper Privilege Management
TeamPass Improper Privilege Management
TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated attacker must have the manager rights on the application, then tamper with the requests sent directly, for exa
ghsaosv
CVE-2023-1463P4MEDIUM≥ 0, < 3.0.0.232023-03-17
CVE-2023-1463 [MEDIUM] CWE-285 Improper Authorization in nilsteampassnet/teampass
Improper Authorization in nilsteampassnet/teampass
Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
ghsaosv
CVE-2024-50702P4MEDIUM≥ 0, < 3.1.3.12024-12-30
CVE-2024-50702 [MEDIUM] CWE-266 TeamPass mail_me operation authorization issue
TeamPass mail_me operation authorization issue
TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.
ghsaosv
CVE-2019-12950P4MEDIUM≥ 0, ≤ 2.1.27.352022-05-24
CVE-2019-12950 [MEDIUM] CWE-79 TeamPass Cross-site Scripting (XSS)
TeamPass Cross-site Scripting (XSS)
An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.
ghsaosv
CVE-2019-16904P4MEDIUM≥ 0, ≤ 2.1.27.362022-05-24
CVE-2019-16904 [MEDIUM] CWE-79 TeamPass Cross-site Scripting (XSS) vulnerability
TeamPass Cross-site Scripting (XSS) vulnerability
TeamPass 2.1.27.36 allows XSS by setting a crafted password for an item in a folder, and then sharing that item with an admin. (The crafted password is exploitable when viewing the change history, or the previous used password field.)
ghsaosv
CVE-2023-3531P4HIGH≥ 0, < 3.0.102023-07-06
CVE-2023-3531 [HIGH] CWE-79 TeamPass Cross-site Scripting vulnerability
TeamPass Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
ghsaosv
CVE-2019-17205P4MEDIUM≥ 0, ≤ 2.1.27.362022-05-24
CVE-2019-17205 [MEDIUM] CWE-79 TeamPass Stored Cross-site Scripting
TeamPass Stored Cross-site Scripting
TeamPass 2.1.27.36 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.
ghsaosv
CVE-2017-15051P4MEDIUM≥ 0, < 2.1.27.92022-05-17
CVE-2017-15051 [MEDIUM] CWE-79 TeamPass stored cross-site scripting (XSS) vulnerability
TeamPass stored cross-site scripting (XSS) vulnerability
Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first authenticated to the application. For the first one, the attacker has to sim
ghsaosv
CVE-2017-15278P4MEDIUM≥ 0, < 2.1.27.92022-05-17
CVE-2017-15278 [MEDIUM] CWE-79 TeamPass Cross-Site Scripting (XSS)
TeamPass Cross-Site Scripting (XSS)
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
ghsaosv
CVE-2023-3009P4MEDIUM≥ 0, < 3.0.92023-05-31
CVE-2023-3009 [MEDIUM] CWE-79 nilsteampassnet/teampass vulnerable to cross-site scripting
nilsteampassnet/teampass vulnerable to cross-site scripting
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. This enables an attacker to inject malicious code into a shared folder, which can then be executed by other users who have access to the folder.
ghsaosv
CVE-2019-17204P4MEDIUM≥ 0, ≤ 2.1.27.362022-05-24
CVE-2019-17204 [MEDIUM] CWE-79 TeamPass Stored Cross-site Scripting
TeamPass Stored Cross-site Scripting
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.
ghsaosv
CVE-2019-17203P4MEDIUM≥ 0, ≤ 2.1.27.362022-05-24
CVE-2019-17203 [MEDIUM] CWE-79 TeamPass Stored Cross-site Scripting
TeamPass Stored Cross-site Scripting
TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder.
ghsaosv
CVE-2023-2516P4MEDIUM≥ 0, < 3.0.72023-05-05
CVE-2023-2516 [MEDIUM] CWE-79 Cross Site Scripting in nilsteampassnet/teampass
Cross Site Scripting in nilsteampassnet/teampass
nilsteampassnet/teampass prior to version 3.0.7 is vulnerable to cross site scripting (XSS) from item names within a folder.
ghsaosv
CVE-2023-2591P4HIGH≥ 0, < 3.0.72023-05-09
CVE-2023-2591 [HIGH] CWE-79 teampass vulnerable to code injection
teampass vulnerable to code injection
In nilsteampassnet/teampass prior to 3.0.7, if two users have the same folder access, malicious users can create an item where its label field is vulnerable to HTML injection. When other users see that item, it may force them to redirect to the attacker's website or capture their data using a form. The issue is fixed in version 3.0.7.
ghsaosv
CVE-2023-3191P4MEDIUM≥ 0, < 3.0.92023-06-10
CVE-2023-3191 [MEDIUM] CWE-79 Teampass Cross-site Scripting vulnerability
Teampass Cross-site Scripting vulnerability
In versions of nilsteampassnet/teampass prior to 3.0.9 some user input was not properly sanitized which may have lead to stored cross-site scripting (XSS) vectors in the application.
ghsaosv
CVE-2023-3565P4MEDIUM≥ 0, < 3.0.102023-07-10
CVE-2023-3565 [MEDIUM] CWE-79 TeamPass Cross-site Scripting vulnerability
TeamPass Cross-site Scripting vulnerability
Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
ghsaosv
CVE-2023-2021P4MEDIUM≥ 0, < 3.0.32023-04-13
CVE-2023-2021 [MEDIUM] CWE-79 nilsteampassnet/teampass vulnerable to stored cross-site scripting (XSS)
nilsteampassnet/teampass vulnerable to stored cross-site scripting (XSS)
nilsteampassnet/teampass prior to 3.0.3 is vulnerable to stored cross-site scripting (XSS) in the description parameter of a folder.
ghsaosv
CVE-2022-26980P4MEDIUM≥ 0, ≤ 2.1.262022-03-29
CVE-2022-26980 [MEDIUM] CWE-79 Cross-site Scripting in teampass
Cross-site Scripting in teampass
Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. Someone must open a link for the Teampass Password Manager index page containing malicious payload.
ghsaosv
CVE-2023-3552P4HIGH≥ 0, < 3.0.102023-07-08
CVE-2023-3552 [HIGH] CWE-116 TeamPass vulnerable to Improper Encoding or Escaping of Output
TeamPass vulnerable to Improper Encoding or Escaping of Output
TeamPass prior to 3.0.10 is vulnerable to cross-site scripting filter bypass in folder names. This can lead to information disclosure.
ghsaosv
CVE-2023-3190P4MEDIUM≥ 0, < 3.0.92023-06-10
CVE-2023-3190 [MEDIUM] CWE-116 Teampass Cross-site Scripting vulnerability
Teampass Cross-site Scripting vulnerability
In versions of nilsteampassnet/teampass prior to 3.0.9 some user input was not properly sanitized which may have lead to stored cross-site scripting (XSS) vectors in the application.
ghsaosv