Lebiko

**Name of the Vulnerable Software and Affected Versions** TeamPass version 2.1.27.36 **Description** The issue allows for Stored XSS at the Search page. This occurs by setting a crafted password for an item in any folder. **Recommendations** For version 2.1.27.36, consider restricting access to the Search page until a fix is available. As a temporary workaround, avoid using crafted passwords for items in any folder to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TeamPass version 2.1.27.36 **Description** The issue allows for Stored XSS by setting a crafted Knowledge Base label and adding any available item. **Recommendations** For TeamPass version 2.1.27.36, update to a version that fixes this issue, as no specific workaround is provided for this version.

**Name of the Vulnerable Software and Affected Versions** TeamPass version 2.1.27.36 **Description** The issue allows for Stored XSS by placing a payload in the `username` field during a login attempt. When an administrator views the log of failed logins, the XSS payload will be executed. **Recommendations** For TeamPass version 2.1.27.36, avoid using the `username` field in login attempts until the issue is resolved. As a temporary workaround, consider restricting access to the login log to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** TeamPass version 2.1.27.36 **Description** The issue allows for Stored XSS by setting a crafted password for an item in a common available folder or sharing the item with an admin. The crafted password is exploitable when viewing the change history of the item or tapping on the item. This can also occur when sharing an item with an admin and the crafted password is viewed in the change history or the previous used password field. **Recommendations** For TeamPass version 2.1.27.36, as a temporary workaround, consider restricting the ability to set crafted passwords for items in common available folders or shared with admins until a patch is available. Avoid using the `password` field in a way that could introduce malicious code, especially when sharing items with admins or viewing change histories.

**Name of the Vulnerable Software and Affected Versions** TeamPass version 2.1.27.35 **Description** An issue was discovered in the "Import items" feature of the sources/items.queries.php file, allowing an attacker to load a crafted CSV file with an XSS payload. **Recommendations** For TeamPass version 2.1.27.35, consider disabling the "Import items" feature from the sources/items.queries.php file until a patch is available to prevent potential XSS attacks.