CVE-2014-3774

Name of the Vulnerable Software and Affected Versions TeamPass versions prior to 2.1.20

Description The issue allows remote attackers to inject arbitrary web script or HTML via the group parameter, which is not properly handled in a (1) hid cat or (2) open folder form element, or (3) id parameter, which is not properly handled in the open id form element. This occurs in the items.php file.

Recommendations For versions prior to 2.1.20, update to version 2.1.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the items.php file or disabling the hid cat, open folder, and open id form elements until a patch is available. Avoid using the group and id parameters in the affected form elements until the issue is resolved.