CVE-2020-11671

Name of the Vulnerable Software and Affected Versions TeamPass versions 2.1.27.36 and earlier

Description The issue is related to a lack of authorization controls in REST API functions. This allows any TeamPass user with a valid API token to become a TeamPass administrator and read or modify all passwords via authenticated "api/index.php" REST API calls. It's noted that the API is not available by default.

Recommendations For TeamPass versions 2.1.27.36 and earlier, consider disabling the REST API until a patch is available to prevent exploitation. Restrict access to the "api/index.php" endpoint to minimize the risk of unauthorized password access. Avoid using the API with valid tokens until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.