CVE-2015-7564

CRITICAL

TeamPass < 2.1.24 - SQL Injection via Item Query or View Log Parameters

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-7564. PoCs published by Vincent Malguy.

AI-analyzed exploit summary This is a detailed technical writeup describing multiple vulnerabilities (XSS, CSRF, SQLi) in TeamPass 2.1.24, including proof-of-concept examples, affected parameters, and references to vendor fixes. It provides specific payloads and commit references for remediation.

Description

Multiple SQL injection vulnerabilities in TeamPass 2.1.24 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) id parameter in an action_on_quick_icon action to item.query.php or the (2) order or (3) direction parameter in an (a) connections_logs, (b) errors_logs or (c) access_logs action to view.query.php.

Exploits (1)

exploitdb WRITEUP VERIFIED
by Vincent Malguy · textwebappsphp
https://www.exploit-db.com/exploits/39559

This is a detailed technical writeup describing multiple vulnerabilities (XSS, CSRF, SQLi) in TeamPass 2.1.24, including proof-of-concept examples, affected parameters, and references to vendor fixes. It provides specific payloads and commit references for remediation.

Classification
Writeup 95%
Attack Type
Xss | Csrf | Sqli
Complexity
Moderate
Reliability
Reliable
Target: TeamPass 2.1.24 and prior
Auth required
Prerequisites: Access to a vulnerable TeamPass instance · Authenticated user session for CSRF/XSS · Ability to craft malicious input for SQLi
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Patch, Third Party Advisory exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/39559/

Scores

CVSS v3 9.8
EPSS 0.0225
EPSS Percentile 85.0%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (2)
nilsteampassnet/teampass 0 - 2.1.25Packagist
teampass/teampass < 2.1.24
Published Apr 12, 2017
Tracked Since Feb 18, 2026