PT-2020-13136 · Teampass · Teampass

Bstapes

Published

2020-04-29

Updated

2021-07-26

CVE-2020-12477

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions TeamPass version 2.1.27.36

Description The issue allows any user with a valid API token to bypass IP address whitelist restrictions. This is achieved via an X-Forwarded-For client HTTP header to the getIp function.

Recommendations For TeamPass version 2.1.27.36, consider restricting access to the getIp function until a patch is available. As a temporary workaround, avoid using the X-Forwarded-For client HTTP header in the REST API functions to minimize the risk of exploitation.

Exploit

Fix

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

CVE-2020-12477

GHSA-FV48-HJHP-94C7

Affected Products

Teampass

PT-2020-13136 · Teampass · Teampass

CVE-2020-12477

Weakness Enumeration

Related Identifiers

Affected Products

References · 5