Vendor CVEs
Nilsteampassnet
All CVEs
41 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-9436 | Cri | 0.64 | 9.8 | 0.01 | Jun 5, 2017 | TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php. | ||
| CVE-2015-7564 | Cri | 0.60 | 9.8 | 0.03 | Apr 12, 2017 | Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b)… | ||
| CVE-2015-7563 | Hig | 0.53 | 8.8 | 0.03 | Apr 12, 2017 | Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user. | ||
| CVE-2017-15055 | Hig | 0.46 | 8.1 | 0.01 | Nov 27, 2017 | TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the… | ||
| CVE-2017-15054 | Hig | 0.42 | 7.5 | 0.04 | Nov 27, 2017 | An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to… | ||
| CVE-2015-7562 | Med | 0.36 | 6.1 | 0.02 | Apr 12, 2017 | Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role. | ||
| CVE-2026-3107 | Med | 0.35 | 5.4 | 0.00 | Mar 31, 2026 | Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import… | ||
| CVE-2026-3106 | Med | 0.35 | 5.4 | 0.00 | Mar 31, 2026 | Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or… | ||
| CVE-2017-15051 | Med | 0.28 | 5.4 | 0.01 | Nov 27, 2017 | Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first… | ||
| CVE-2017-15278 | Med | 0.28 | 5.4 | 0.01 | Oct 12, 2017 | Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable… | ||
| CVE-2017-15053 | Med | 0.25 | 4.9 | 0.01 | Nov 27, 2017 | TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated… | ||
| CVE-2017-15052 | Med | 0.25 | 4.9 | 0.01 | Nov 27, 2017 | TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the… | ||
| CVE-2012-2234 | 0.03 | — | 0.04 | Apr 22, 2012 | Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action. | |||
| CVE-2024-50702 | 0.00 | — | 0.00 | Dec 30, 2024 | TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager. | |||
| CVE-2024-50703 | 0.00 | — | 0.00 | Dec 30, 2024 | TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id. | |||
| CVE-2024-50701 | 0.00 | — | 0.00 | Dec 30, 2024 | TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin. | |||
| CVE-2023-3565 | 0.00 | — | 0.01 | Jul 8, 2023 | Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||
| CVE-2023-3553 | 0.00 | — | 0.01 | Jul 8, 2023 | Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||
| CVE-2023-3552 | 0.00 | — | 0.00 | Jul 8, 2023 | Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||
| CVE-2023-3551 | 0.00 | — | 0.01 | Jul 8, 2023 | Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||
| CVE-2023-3531 | 0.00 | — | 0.00 | Jul 6, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10. | |||
| CVE-2023-3190 | 0.00 | — | 0.01 | Jun 10, 2023 | Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-3191 | 0.00 | — | 0.01 | Jun 10, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-3095 | 0.00 | — | 0.00 | Jun 4, 2023 | Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-3086 | 0.00 | — | 0.01 | Jun 3, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-3084 | 0.00 | — | 0.01 | Jun 3, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-3083 | 0.00 | — | 0.01 | Jun 3, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-3009 | 0.00 | — | 0.01 | May 31, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-2859 | 0.00 | — | 0.02 | May 24, 2023 | Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9. | |||
| CVE-2023-2591 | 0.00 | — | 0.01 | May 9, 2023 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7. | |||
| CVE-2023-2516 | 0.00 | — | 0.01 | May 5, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7. | |||
| CVE-2023-2021 | 0.00 | — | 0.00 | Apr 13, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3. | |||
| CVE-2023-1545 | 0.00 | — | 0.08 | Mar 21, 2023 | SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | |||
| CVE-2023-1463 | 0.00 | — | 0.01 | Mar 17, 2023 | Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23. | |||
| CVE-2023-1070 | 0.00 | — | 0.01 | Feb 27, 2023 | External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22. | |||
| CVE-2022-26980 | 0.00 | — | 0.01 | Mar 28, 2022 | Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO. | |||
| CVE-2019-1000001 | 0.00 | — | 0.02 | Feb 4, 2019 | TeamPass version 2.1.27 and earlier contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via any vulnerability that can bypass… | |||
| CVE-2014-3774 | 0.00 | — | 0.02 | Aug 7, 2014 | Multiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter,… | |||
| CVE-2014-3773 | 0.00 | — | 0.02 | Aug 7, 2014 | Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3)… | |||
| CVE-2014-3772 | 0.00 | — | 0.03 | Aug 7, 2014 | TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php. | |||
| CVE-2014-3771 | 0.00 | — | 0.03 | Aug 7, 2014 | TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php. |
- risk 0.64cvss 9.8epss 0.01
TeamPass before 2.1.27.4 is vulnerable to a SQL injection in users.queries.php.
- risk 0.60cvss 9.8epss 0.03
Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b)…
- risk 0.53cvss 8.8epss 0.03
Cross-site request forgery (CSRF) vulnerability in TeamPass 2.1.24 and earlier allows remote attackers to hijack the authentication of an authenticated user.
- risk 0.46cvss 8.1epss 0.01
TeamPass before 2.1.27.9 does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the…
- risk 0.42cvss 7.5epss 0.04
An arbitrary file upload vulnerability, present in TeamPass before 2.1.27.9, allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to…
- risk 0.36cvss 6.1epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) label value of an item or (2) name of a role.
- risk 0.35cvss 5.4epss 0.00
Stored Cross-Site Scripting (XSS) in Teampass versions prior to 3.1.5.16, affecting the password manager's password import functionality at the endpoint 'redacted/index.php?page=items'. The application fails to properly sanitize and encode user-input data during the import…
- risk 0.35cvss 5.4epss 0.00
Blind Cross-Site Scripting (XSS) in Teampass, versions prior to 3.1.5.16, within the password manager login functionality in the 'contraseña' parameter of the login form 'redacted/index.php'. During failed authentication attempts, the application does not properly clean or…
- risk 0.28cvss 5.4epss 0.01
Multiple stored cross-site scripting (XSS) vulnerabilities in TeamPass before 2.1.27.9 allow authenticated remote attackers to inject arbitrary web script or HTML via the (1) URL value of an item or (2) user log history. To exploit the vulnerability, the attacker must be first…
- risk 0.28cvss 5.4epss 0.01
Cross-Site Scripting (XSS) was discovered in TeamPass before 2.1.27.9. The vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable…
- risk 0.25cvss 4.9epss 0.01
TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role. To exploit the vulnerability, an authenticated…
- risk 0.25cvss 4.9epss 0.01
TeamPass before 2.1.27.9 does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator. To exploit the…
- CVE-2012-2234Apr 22, 2012risk 0.03cvss —epss 0.04
Cross-site scripting (XSS) vulnerability in sources/users.queries.php in TeamPass before 2.1.6 allows remote authenticated users to inject arbitrary web script or HTML via the login parameter in an add_new_user action.
- CVE-2024-50702Dec 30, 2024risk 0.00cvss —epss 0.00
TeamPass before 3.1.3.1 does not properly check whether a mail_me (aka action_mail) operation is on behalf of an administrator or manager.
- CVE-2024-50703Dec 30, 2024risk 0.00cvss —epss 0.00
TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.
- CVE-2024-50701Dec 30, 2024risk 0.00cvss —epss 0.00
TeamPass before 3.1.3.1, when retrieving information about access rights for a folder, does not properly check whether a folder is in a user's allowed folders list that has been defined by an admin.
- CVE-2023-3565Jul 8, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3553Jul 8, 2023risk 0.00cvss —epss 0.01
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3552Jul 8, 2023risk 0.00cvss —epss 0.00
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3551Jul 8, 2023risk 0.00cvss —epss 0.01
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3531Jul 6, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.
- CVE-2023-3190Jun 10, 2023risk 0.00cvss —epss 0.01
Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3191Jun 10, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3095Jun 4, 2023risk 0.00cvss —epss 0.00
Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3086Jun 3, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3084Jun 3, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3083Jun 3, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-3009May 31, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-2859May 24, 2023risk 0.00cvss —epss 0.02
Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9.
- CVE-2023-2591May 9, 2023risk 0.00cvss —epss 0.01
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
- CVE-2023-2516May 5, 2023risk 0.00cvss —epss 0.01
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7.
- CVE-2023-2021Apr 13, 2023risk 0.00cvss —epss 0.00
Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.
- CVE-2023-1545Mar 21, 2023risk 0.00cvss —epss 0.08
SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
- CVE-2023-1463Mar 17, 2023risk 0.00cvss —epss 0.01
Authorization Bypass Through User-Controlled Key in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.
- CVE-2023-1070Feb 27, 2023risk 0.00cvss —epss 0.01
External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22.
- CVE-2022-26980Mar 28, 2022risk 0.00cvss —epss 0.01
Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.
- CVE-2019-1000001Feb 4, 2019risk 0.00cvss —epss 0.02
TeamPass version 2.1.27 and earlier contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via any vulnerability that can bypass…
- CVE-2014-3774Aug 7, 2014risk 0.00cvss —epss 0.02
Multiple cross-site scripting (XSS) vulnerabilities in items.php in TeamPass before 2.1.20 allow remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid_cat or (2) open_folder form element, or (3) id parameter,…
- CVE-2014-3773Aug 7, 2014risk 0.00cvss —epss 0.02
Multiple SQL injection vulnerabilities in TeamPass before 2.1.20 allow remote attackers to execute arbitrary SQL commands via the login parameter in a (1) send_pw_by_email or (2) generate_new_password action in sources/main.queries.php; iDisplayStart parameter to (3)…
- CVE-2014-3772Aug 7, 2014risk 0.00cvss —epss 0.03
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via a request to index.php followed by a direct request to a file that calls the session_start function before checking the CPM key, as demonstrated by a request to sources/upload/upload.files.php.
- CVE-2014-3771Aug 7, 2014risk 0.00cvss —epss 0.03
TeamPass before 2.1.20 allows remote attackers to bypass access restrictions via the language file path in a (1) request to index.php or (2) "change_user_language" request to sources/main.queries.php.