Teedy
Monthly
Improper access controls in Sismics Teedy up to version 1.11 allow authenticated remote attackers to manipulate the /api/file endpoint, leading to unauthorized information disclosure. The vulnerability has publicly available exploit code and affects all versions through 1.11, though the vendor has not responded to disclosure notifications. With an EPSS score of 0.05% and low CVSS impact severity despite network accessibility, real-world exploitation appears limited to scenarios where attackers already possess valid authentication credentials.
When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Teedy <= 1.12 is vulnerable to Cross Site Request Forgery (CSRF), due to the lack of CSRF protection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
Improper access controls in Sismics Teedy up to version 1.11 allow authenticated remote attackers to manipulate the /api/file endpoint, leading to unauthorized information disclosure. The vulnerability has publicly available exploit code and affects all versions through 1.11, though the vendor has not responded to disclosure notifications. With an EPSS score of 0.05% and low CVSS impact severity despite network accessibility, real-world exploitation appears limited to scenarios where attackers already possess valid authentication credentials.
When LDAP connection is activated in Teedy versions between 1.9 to 1.12, the username field of the login form is vulnerable to LDAP injection. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Teedy <= 1.12 is vulnerable to Cross Site Request Forgery (CSRF), due to the lack of CSRF protection. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Teedy through 1.11 allows CSRF for account takeover via POST /api/user/admin. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.