Medium severity5.4NVD Advisory· Published Oct 12, 2017· Updated May 13, 2026
CVE-2017-15278
CVE-2017-15278
Description
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nilsteampassnet/teampassPackagist | < 2.1.27.9 | 2.1.27.9 |
Affected products
1Patches
133 files changed · +117 −35
changelog.md+2 −0 modified@@ -9,8 +9,10 @@ Fixed some other security failures (credit to security at Amossys) Improved security regarding uploading files Fixed issue while restoring DB from administration page + Fixed "PW copy to clipboard" log unconsistency in specific case Improved / Fixed administration task for encrypting/decrypting files Improved security regarding item history display + Improved the possibility to define the access level on Roles when creating new folder Added filter in Roles New: confirm deletion of attachment #1956 Warning appears on Category and API pages in admin mode
folders.load.php+12 −2 modified@@ -20,6 +20,7 @@ <script type="text/javascript"> //<![CDATA[ $(function() { + $("#span_new_rep_roles").hide(); //Launch the datatables pluggin var tableFolders = $("#t_folders").dataTable({ @@ -61,7 +62,7 @@ $("#new_folder_wait").hide(); //empty dialogbox - $("#div_add_group input, #div_add_group select").val(""); + $("#div_add_group input, #div_add_group select, #new_rep_roles").val(""); $("#add_node_renewal_period").val("0"); $("#folder_block_modif, #folder_block_creation").val("0"); $("#parent_id").val("na"); @@ -89,7 +90,8 @@ "parent_id": $('#parent_id').val().replace(/"/g,'"') , "renewal_period": $('#add_node_renewal_period').val().replace(/"/g,'"') , "block_creation": $("#folder_block_creation").val() , - "block_modif": $("#folder_block_modif").val() + "block_modif": $("#folder_block_modif").val(), + "access_level": $("#new_rep_roles").val() }; //send query @@ -334,6 +336,14 @@ function(data) { $("#click_refresh_folders_list").click(function() { tableFolders.api().ajax.reload(); }); + + $("#parent_id").change(function() { + if ($(this).val() === "0") { + $("#span_new_rep_roles").show(); + } else { + $("#span_new_rep_roles").hide(); + } + }) });
folders.php+14 −5 modified@@ -116,33 +116,42 @@ <div id="div_add_group" style="display:none;"> <div id="addgroup_show_error" style="text-align:center;margin:2px;display:none;" class="ui-state-error ui-corner-all"></div> - <label for="ajouter_groupe_titre" class="label_cpm">'.$LANG['group_title'].'</label> + <label for="ajouter_groupe_titre" class="label_cpm">'.addslashes($LANG['group_title']).'</label> <input type="text" id="ajouter_groupe_titre" class="input_text text ui-widget-content ui-corner-all" /> <label for="parent_id" class="label_cpm">'.addslashes($LANG['group_parent']).'</label> <select id="parent_id" class="input_text text ui-widget-content ui-corner-all"> '.$droplist.' </select> - <label for="new_rep_complexite" class="label_cpm">'.$LANG['complex_asked'].'</label> + <label for="new_rep_complexite" class="label_cpm">'.addslashes($LANG['complex_asked']).'</label> <select id="new_rep_complexite" class="input_text text ui-widget-content ui-corner-all">'; foreach ($SETTINGS_EXT['pwComplexity'] as $complex) { echo '<option value="'.$complex[0].'">'.$complex[1].'</option>'; } echo ' </select> - <label for="add_node_renewal_period" class="label_cpm">'.$LANG['group_pw_duration'].'</label> + <span id="span_new_rep_roles"> + <label for="new_rep_roles" class="label_cpm">'.addslashes($LANG['access_level_for_roles']).'</label> + <select id="new_rep_roles" class="input_text text ui-widget-content ui-corner-all"> + <option value="">'.$LANG['no_access'].'</option> + <option value="R">'.$LANG['read'].'</option> + <option value="W">'.$LANG['write'].'</option> + </select> + </span> + + <label for="add_node_renewal_period" class="label_cpm">'.addslashes($LANG['group_pw_duration']).'</label> <input type="text" id="add_node_renewal_period" value="0" class="input_text text ui-widget-content ui-corner-all" /> - <label for="folder_block_creation" class="">'.$LANG['auth_creation_without_complexity'].'</label> + <label for="folder_block_creation" class="">'.addslashes($LANG['auth_creation_without_complexity']).'</label> <select id="folder_block_creation" class="ui-widget-content ui-corner-all"> <option value="0">'.$LANG['no'].'</option> <option value="1">'.$LANG['yes'].'</option> </select> <div style="margin-top:10px;"> - <label for="folder_block_modif">'.$LANG['auth_modification_without_complexity'].'</label> + <label for="folder_block_modif">'.addslashes($LANG['auth_modification_without_complexity']).'</label> <select id="folder_block_modif" class="ui-widget-content ui-corner-all"> <option value="0">'.$LANG['no'].'</option> <option value="1">'.$LANG['yes'].'</option>
includes/language/arabic.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/bulgarian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/catalan.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/chinese.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/czech.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/dutch.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/english.php+2 −1 modified@@ -1,4 +1,4 @@ -<?php +<?php /** * * @file english.php @@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'user_ga_code' => 'Email Google Authentication to user',
includes/language/estonian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/french.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Droit associé des Roles', 'user_ga_code' => 'Envoyer le code Google Authenticator à l\'utilisateur par email', 'send_ga_code' => 'Google Authenticator pour l\'utilisateur', 'error_no_email' => 'Cet utilisateur n\'a pas de courriel de défini !',
includes/language/german.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/greek.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/hungarian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/italian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/japanese.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/norwegian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/polish.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/portuguese_br.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/portuguese.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/romanian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/russian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/spanish.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/swedish.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/turkish.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/ukrainian.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
includes/language/vietnamese.php+1 −0 modified@@ -14,6 +14,7 @@ */ global $LANG; $LANG = array ( + 'access_level_for_roles' => 'Associated access for Roles', 'admin_script_backup_secret' => 'Passkey for backup execution', 'admin_script_backup_secret_tip' => 'The backup passkey needs to be provided to start the backup. It has to be added a key parameter to script.backup.php. Example:scripts.backup.php?key=your_passkey', 'text' => 'Text',
items.load.php+6 −4 modified@@ -3932,15 +3932,17 @@ function() { /* * permits to save */ -function itemLog(log_case) +function itemLog(log_case, item_id) { + console.log("> "+item_id); + item_id = item_id || $('#id_item').val(); $.post( "sources/items.logs.php", { type : log_case, - id_item : $('#id_item').val(), + id_item : item_id, folder_id : $('#hid_cat').val(), - hid_label : $('#hid_label').val(), + hid_label : $('#hid_label').val(), key : "<?php echo $_SESSION['key']; ?>" } ); @@ -4025,7 +4027,7 @@ function proceed_list_update(stop_proceeding) var clipboard = new Clipboard('.mini_pw'); clipboard.on('success', function(e) { $("#message_box").html("<?php echo addslashes($LANG['pw_copied_clipboard']); ?>").show().fadeOut(1000); - itemLog("item_password_copied"); + itemLog("item_password_copied", e.trigger.dataset.clipboardId); e.clearSelection(); });
profile.php+12 −0 modified@@ -92,6 +92,16 @@ $arraFlags[$record['label']] = $record['label']; } +// Prepare Headers +header('Access-Control-Allow-Origin: *'); +echo ' +<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> +<html> + <head> + <title>User Profile</title> + </head> +<body>'; + echo ' <input type="hidden" id="profile_user_token" value="" /> <table style="margin-left:7px;"> @@ -717,3 +727,5 @@ function(data){ ); } </script> +</body> +</html>
sources/folders.queries.php+40 −21 modified@@ -438,6 +438,19 @@ $complexity = htmlspecialchars_decode($dataReceived['complexity']); $parentId = htmlspecialchars_decode($dataReceived['parent_id']); $renewalPeriod = htmlspecialchars_decode($dataReceived['renewal_period']); + if ($parentId === "0") { + if (isset($dataReceived['access_level']) === true) { + $access_level_by_role = filter_var(htmlspecialchars_decode($dataReceived['access_level']), FILTER_SANITIZE_STRING); + } else { + if ($_SESSION['user_manager'] === "1") { + $access_level_by_role = "W"; + } else { + $access_level_by_role = ""; + } + } + } else { + $access_level_by_role = ""; + } //Check if title doesn't contains html codes if (preg_match_all("|<[^>]+>(.*)</[^>]+>|U", $title, $out)) { @@ -544,46 +557,52 @@ $tree = new Tree\NestedTree\NestedTree(prefix_table("nested_tree"), 'id', 'parent_id', 'title'); $tree->rebuild(); - if ($isPersonal !== 1 - && isset($SETTINGS['subfolder_rights_as_parent']) - && $SETTINGS['subfolder_rights_as_parent'] === 1 - || ($isPersonal !== 1 && $parentId === "0") - ) { + // Add right to see this folder + if ($_SESSION['is_admin'] === "1" || $_SESSION['user_manager'] === "1") { //Get user's rights identifyUserRights( - array_push($_SESSION['groupes_visibles'], $newId), + $_SESSION['groupes_visibles'], implode(";", $_SESSION['groupes_interdits']), $_SESSION['is_admin'], - $_SESSION['fonction_id'] + is_array($_SESSION['fonction_id']) === true ? implode(";", $_SESSION['fonction_id']) : $_SESSION['fonction_id'] ); + } + if ($isPersonal !== 1 + && $parentId === "0" + ) { //add access to this new folder foreach (explode(';', $_SESSION['fonction_id']) as $role) { - if (!empty($role)) { + if (empty($role) === false && empty($access_level_by_role) === false) { DB::insert( prefix_table("roles_values"), array( 'role_id' => $role, 'folder_id' => $newId, - 'type' => "W" + 'type' => $access_level_by_role ) ); } } } - //If it is a subfolder, then give access to it for all roles that allows the parent folder - $rows = DB::query("SELECT role_id, type FROM ".prefix_table("roles_values")." WHERE folder_id = %i", $parentId); - foreach ($rows as $record) { - //add access to this subfolder - DB::insert( - prefix_table("roles_values"), - array( - 'role_id' => $record['role_id'], - 'folder_id' => $newId, - 'type' => $record['type'] - ) - ); + + if (isset($SETTINGS['subfolder_rights_as_parent']) === true + && $SETTINGS['subfolder_rights_as_parent'] === "1" + ) { + //If it is a subfolder, then give access to it for all roles that allows the parent folder + $rows = DB::query("SELECT role_id, type FROM ".prefix_table("roles_values")." WHERE folder_id = %i", $parentId); + foreach ($rows as $record) { + //add access to this subfolder + DB::insert( + prefix_table("roles_values"), + array( + 'role_id' => $record['role_id'], + 'folder_id' => $newId, + 'type' => $record['type'] + ) + ); + } } // if parent folder has Custom Fields Categories then add to this child one too
sources/items.queries.php+1 −1 modified@@ -2695,7 +2695,7 @@ $new_line .= '<i class="fa fa-sm fa-user mi-black mini_login" data-clipboard-text="'.strtr($record['login'], '"', """).'" title="'.$LANG['item_menu_copy_login'].'"></i> '; } if (empty($pw) === false) { - $new_line .= '<i class="fa fa-sm fa-lock mi-black mini_pw" data-clipboard-text="'.strtr($pw, '"', """).'" title="'.$LANG['item_menu_copy_pw'].'"></i> '; + $new_line .= '<i class="fa fa-sm fa-lock mi-black mini_pw" data-clipboard-text="'.strtr($pw, '"', """).'" title="'.$LANG['item_menu_copy_pw'].'" data-clipboard-id="'.$record['id'].'"></i> '; } } }
sources/main.functions.php+4 −1 modified@@ -510,6 +510,9 @@ function defuse_return_decrypted($value) function trimElement($chaine, $element) { if (!empty($chaine)) { + if (is_array($chaine) === true) { + $chaine = implode(";", $chaine); + } $chaine = trim($chaine); if (substr($chaine, 0, 1) == $element) { $chaine = substr($chaine, 1); @@ -658,7 +661,7 @@ function identifyUserRights($groupesVisiblesUser, $groupesInterditsUser, $isAdmi $_SESSION['read_only_folders'] = array(); $_SESSION['fonction_id'] = $idFonctions; $groupesInterdits = array(); - if (!is_array($groupesInterditsUser)) { + if (is_array($groupesInterditsUser) === false) { $groupesInterditsUser = explode(';', trimElement($groupesInterditsUser, ";")); } if (!empty($groupesInterditsUser) && count($groupesInterditsUser) > 0) {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/nilsteampassnet/TeamPass/commit/f5a765381f051fe624386866ddb1f6b5e7eb929bnvdPatchThird Party AdvisoryWEB
- github.com/advisories/GHSA-28pv-2j2h-fmhcghsaADVISORY
- github.com/nilsteampassnet/TeamPass/blob/master/changelog.mdnvdRelease NotesThird Party AdvisoryWEB
- github.com/nilsteampassnet/TeamPass/releases/tag/2.1.27.9nvdRelease NotesThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-15278ghsaADVISORY
News mentions
0No linked articles in our index yet.