CVE: CVE-2023-1545 Vulnerability Type: CWE-89: SQL Injection Severity: High (7.5) Description: - TeamPass API endpoint is vulnerable to SQL injection in the field. - By forging an arbitrary Blowfish hash, the attacker can bypass the password verification check. - Using the same query, an arbitrary value can be defined. Proof of Concept: - The provided script demonstrates how to enumerate users and their password hashes. - The script assumes the API feature is enabled and the database table prefix is . Impact: - Arbitrary SQL SELECT queries can be executed, potentially dumping the entire database. - Extracted information could be used to gain access to other systems. Status: - The vulnerability has been fixed in version 3.0.0.23. Key Files: - lines L45 and L58 are affected.