nilsteampassnet/teampass
Packagist42 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting nilsteampassnet/teampasspage 1 of 1
- CVE-2015-7562MEDIUMCVSS 6.1EG 6.1✓ Fixed in 2.1.252017-04-12
vulnerable: 2.1.21
Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role.
- CVE-2015-7564CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.252017-04-12
vulnerable: 2.1.21
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction p…
- CVE-2017-15051MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.1.27.92017-11-27
vulnerable: 2.1.21, 2.1.26, 2.1.27
Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vul…
- CVE-2017-15052MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.1.27.92017-11-27
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user e…
- CVE-2017-15053MEDIUMCVSS 4.9EG 4.9✓ Fixed in 2.1.27.92017-11-27
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To expl…
- CVE-2017-15054HIGHCVSS 7.5EG 7.5✓ Fixed in 2.1.27.92017-11-27
vulnerable: 2.1.21, 2.1.26, 2.1.27
An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to t…
- CVE-2017-15055HIGHCVSS 8.1EG 8.1✓ Fixed in 2.1.27.92017-11-27
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only director…
- CVE-2017-15278MEDIUMCVSS 5.4EG 5.4✓ Fixed in 2.1.27.92017-10-12
vulnerable: 2.1.21, 2.1.26, 2.1.27
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser…
- CVE-2017-9436CRITICALCVSS 9.8EG 9.8✓ Fixed in 2.1.27.52017-06-05
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php.
- CVE-2019-1000001CRITICALCVSS 9.82019-02-04
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass version 2.1.27 and earlier contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via…
- CVE-2019-12950MEDIUMCVSS 5.4EG 5.42019-08-06
vulnerable: 2.1.21, 2.1.26, 2.1.27
An issue was discovered in TeamPass 2.1.27.35. From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.
- CVE-2019-16904MEDIUMCVSS 5.4EG 5.42019-09-26
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on t…
- CVE-2019-17203MEDIUMCVSS 5.4EG 5.42019-10-05
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass 2.1.27.36 allows Stored XSS at the Search page by setting a crafted password for an item in any folder.
- CVE-2019-17204MEDIUMCVSS 5.4EG 5.42019-10-05
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass 2.1.27.36 allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.
- CVE-2019-17205MEDIUMCVSS 6.1EG 6.12019-10-05
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass 2.1.27.36 allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.
- CVE-2020-11671HIGHCVSS 8.1EG 8.12020-05-04
vulnerable: 2.1.21, 2.1.26, 2.1.27
Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API ca…
- CVE-2020-12477HIGHCVSS 7.5EG 7.52020-04-29
vulnerable: 2.1.21, 2.1.26, 2.1.27
The REST API functions in TeamPass 2.1.27.36 allow any user with a valid API token to bypass IP address whitelist restrictions via an X-Forwarded-For client HTTP header to the getIp function.
- CVE-2020-12478HIGHCVSS 7.5EG 7.52020-04-29
vulnerable: 2.1.27.36
TeamPass 2.1.27.36 allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.
- CVE-2020-12479HIGHCVSS 8.8EG 8.82020-04-29
vulnerable: 2.1.21, 2.1.26, 2.1.27
TeamPass 2.1.27.36 allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request with sources/users.queries.php newValue directory traversal.
- CVE-2022-26980MEDIUMCVSS 6.1EG 6.12022-03-28
vulnerable: 2.1.21, 2.1.26
Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.
- CVE-2023-1070HIGHCVSS 7.1EG 7.1✓ Fixed in 3.0.0.232023-02-27
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22.
- CVE-2023-1463MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.0.232023-03-17
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
- CVE-2023-1545HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.0.222023-03-21
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
- CVE-2023-2021MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.32023-04-13
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.
- CVE-2023-2516MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.72023-05-05
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
- CVE-2023-2591MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.72023-05-09
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
- CVE-2023-2859HIGHCVSS 8.8EG 8.8✓ Fixed in 3.0.92023-05-24
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3009MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.92023-05-31
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3083HIGHCVSS 8.7EG 8.7✓ Fixed in 3.0.92023-06-03
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3084HIGHCVSS 8.1EG 8.1✓ Fixed in 3.0.92023-06-03
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3086CRITICALCVSS 9.0EG 9.0✓ Fixed in 3.0.92023-06-03
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3095MEDIUMCVSS 6.5EG 6.5✓ Fixed in 3.0.92023-06-04
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3190MEDIUMCVSS 4.6EG 4.6✓ Fixed in 3.0.92023-06-10
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3191MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.92023-06-10
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3531MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.102023-07-06
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3551HIGHCVSS 7.2EG 7.2✓ Fixed in 3.0.102023-07-08
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3552MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.102023-07-08
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3553HIGHCVSS 7.5EG 7.5✓ Fixed in 3.0.102023-07-08
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3565MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.0.102023-07-10
vulnerable: 2.1.21 ... 3.0.0.11 (6 versions)
Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2024-50701MEDIUMCVSS 4.3EG 4.3✓ Fixed in 3.1.3.12024-12-30
vulnerable: 2.1.21 ... 3.1.1 (9 versions)
TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.
- CVE-2024-50702MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.1.3.12024-12-30
vulnerable: 2.1.21 ... 3.1.1 (9 versions)
TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.
- CVE-2024-50703MEDIUMCVSS 5.4EG 5.4✓ Fixed in 3.1.3.12024-12-30
vulnerable: 2.1.21 ... 3.1.1 (9 versions)
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.
Check whether nilsteampassnet/teampass is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for nilsteampassnet/teampass CVEs against the assets you own.
Start Free Scan →