Advisories for Composer/Nilsteampassnet/Teampass package

Cross-site Scripting (XSS) - Generic in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.10.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Improper Encoding or Escaping of Output in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Improper Access Control in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.9.

Code Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.7.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.7.

Cross-site Scripting (XSS) - Stored in GitHub repository nilsteampassnet/teampass prior to 3.0.3.

SQL Injection in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

Improper Authorization in GitHub repository nilsteampassnet/teampass prior to 3.0.0.23.

External Control of File Name or Path in GitHub repository nilsteampassnet/teampass prior to 3.0.0.22.

Teampass 2.1.26 allows reflected XSS via the index.php PATH_INFO.

Lack of authorization controls in REST API functions in TeamPass allows any TeamPass user with a valid API token to become a TeamPass administrator and read or modify all passwords via authenticated api/index.php REST API calls.

TeamPass allows any authenticated TeamPass user to trigger a PHP file include vulnerability via a crafted HTTP request.

TeamPass allows an unauthenticated attacker to retrieve files from the TeamPass web root. This may include backups or LDAP debug files.

The REST API functions in TeamPass allow any user with a valid API token to bypass IP address allowlist restrictions via an X-Forwarded-For client HTTP header to the getIp function.

TeamPass allows Stored XSS by placing a payload in the username field during a login attempt. When an administrator looks at the log of failed logins, the XSS payload will be executed.

TeamPass allows Stored XSS at the Search page by setting a crafted password for an item in any folder.

TeamPass allows Stored XSS by setting a crafted Knowledge Base label and adding any available item.

TeamPass allows Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. (The crafted password is exploitable when viewing the change history of the item or tapping on the item.)

From the sources/items.queries.php "Import items" feature, it is possible to load a crafted CSV file with an XSS payload.

TeamPass contains a Storing Passwords in a Recoverable Format vulnerability in Shared password vaults that can result in all shared passwords are recoverable server side. This attack appears to be exploitable via any vulnerability that can bypass authentication or role assignment and can lead to shared password leakage.

An arbitrary file upload vulnerability allows remote authenticated users to upload arbitrary files leading to Remote Command Execution. To exploit this vulnerability, an authenticated attacker has to tamper with parameters of a request to upload.files.php, in order to select the correct branch and be able to upload any arbitrary file.

TeamPass does not properly enforce manager access control when requesting users.queries.php. It is then possible for a manager user to delete an arbitrary user (including admin), or modify attributes of any arbitrary user except administrator.

TeamPass does not properly enforce manager access control when requesting roles.queries.php. It is then possible for a manager user to modify any arbitrary roles within the application, or delete any arbitrary role.

TeamPass does not properly enforce item access control when requesting items.queries.php. It is then possible to copy any arbitrary item into a directory controlled by the attacker, edit any item within a read-only directory, delete an arbitrary item, delete the file attachments of an arbitrary item, copy the password of an arbitrary item to the copy/paste buffer, access the history of an arbitrary item, and edit attributes of an arbitrary …

Multiple stored cross-site scripting vulnerabilities.

This vulnerability exists due to insufficient filtration of data (in /sources/folders.queries.php). An attacker could execute arbitrary HTML and script code in a browser in the context of the vulnerable website.

TeamPass is vulnerable to an SQL injection in users.queries.php.