CVE-2017-15053

Name of the Vulnerable Software and Affected Versions TeamPass versions prior to 2.1.27.9

Description The issue allows a manager user to modify or delete any arbitrary roles within the application due to improper access control enforcement when requesting roles.queries.php. To exploit this, an authenticated attacker with manager rights must tamper with requests, for example, by changing the id parameter when invoking the delete role function on the "roles.queries.php" endpoint.

Recommendations For versions prior to 2.1.27.9, update to version 2.1.27.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the "roles.queries.php" endpoint or limiting the ability to invoke the delete role function to minimize the risk of exploitation.