CVE-2017-15052

Name of the Vulnerable Software and Affected Versions TeamPass versions prior to 2.1.27.9

Description The issue allows a manager user to delete or modify attributes of any arbitrary user, except for the administrator, by tampering with requests sent directly to the users.queries.php endpoint. This can be achieved by changing the id parameter when invoking the delete user function. The exploitation requires an authenticated attacker with manager rights on the application.

Recommendations For versions prior to 2.1.27.9, update to version 2.1.27.9 or later to resolve the issue. As a temporary workaround, consider restricting access to the users.queries.php endpoint for manager users until the update is applied. Additionally, restrict the use of the delete user function and the modification of user attributes to minimize the risk of exploitation.