Lack of Authorization Control in TeamPass by nilsteampassnet
CVE-2020-11671

8.1HIGH

Key Information:

Vendor: Teampass
Status: Teampass
Vendor: CVE Published:; 4 May 2020

What is CVE-2020-11671?

The vulnerability in TeamPass results from the lack of proper authorization controls within its REST API functions. This issue allows any user with a valid API token to escalate their privileges to that of a TeamPass administrator. Consequently, the compromised user can read and modify all stored passwords through authenticated API calls to api/index.php. It is important to note that access to this API is not enabled by default, which may limit immediate exploitation but does not eliminate the risk associated with this vulnerability.

References

https://github.com/nilsteampassnet/TeamPass/issues/2765

x_refsource_MISC

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2020
Vulnerability Reserved
Apr 10, 2020

CVE-2020-11671 Data

JSON

Teampass

What is CVE-2020-11671?

References

CVSS V3.1

Timeline