Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default.
References
Link | Resource |
---|---|
https://github.com/nilsteampassnet/TeamPass/issues/2765 | Exploit Issue Tracking Third Party Advisory |
Configurations
Information
Published : 2020-05-04 07:15
Updated : 2021-07-21 04:39
NVD link : CVE-2020-11671
Mitre link : CVE-2020-11671
JSON object : View
CWE
CWE-862
Missing Authorization
Products Affected
teampass
- teampass