CVE-2014-3773

Name of the Vulnerable Software and Affected Versions TeamPass versions prior to 2.1.20

Description The issue allows remote attackers to execute arbitrary SQL commands via several parameters, including the login parameter in send pw by email or generate new password actions, iDisplayStart and iDisplayLength parameters to files in datatable/, or the sSortDir parameter to files in datatable/ for remote authenticated users.

Recommendations For versions prior to 2.1.20, update to version 2.1.20 or later to resolve the issue. As a temporary workaround, consider restricting access to the sources/main.queries.php and files in source/datatable/ to minimize the risk of exploitation. Avoid using the login, iDisplayStart, iDisplayLength, and sSortDir parameters in the affected API endpoints until the issue is resolved.