{"id":"CVE-2020-11671","details":"Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default.","aliases":["GHSA-gmr7-m73x-6c9q"],"modified":"2026-04-11T22:57:24.287150Z","published":"2020-05-04T14:15:13.230Z","references":[{"type":"REPORT","url":"https://github.com/nilsteampassnet/TeamPass/issues/2765"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nilsteampassnet/teampass","events":[{"introduced":"0"},{"last_affected":"e99658f697a35bde7733be23d29d0f40bb02b035"}],"database_specific":{"cpe":"cpe:2.3:a:teampass:teampass:*:*:*:*:*:*:*:*","source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.1.27.36"}]}}],"versions":["2.1","2.1.20","2.1.25.0","2.1.25.1","2.1.25.2","2.1.26","2.1.26-final","2.1.26-final-2","2.1.26-final-3","2.1.26.0","2.1.26.1","2.1.26.10","2.1.26.11","2.1.26.12","2.1.26.13","2.1.26.14","2.1.26.15","2.1.26.16","2.1.26.17","2.1.26.2","2.1.26.3","2.1.26.4","2.1.26.5","2.1.26.6","2.1.26.7","2.1.26.8","2.1.26.9","2.1.27.0","2.1.27.1","2.1.27.10","2.1.27.11","2.1.27.18","2.1.27.19","2.1.27.2","2.1.27.20","2.1.27.21","2.1.27.22","2.1.27.23","2.1.27.24","2.1.27.25","2.1.27.26","2.1.27.27","2.1.27.28","2.1.27.29","2.1.27.3","2.1.27.30","2.1.27.31","2.1.27.32","2.1.27.33","2.1.27.34","2.1.27.35","2.1.27.36","2.1.27.4","2.1.27.5","2.1.27.6","2.1.27.7","2.1.27.8","2.1.27.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11671.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}