CVE-2024-50701: 
PHP vulnerability analysis and mitigation

TeamPass before version 3.1.3.1 contains a security vulnerability where the application does not properly check whether a folder is in a user's allowed folders list that has been defined by an administrator when retrieving information about access rights for a folder (NVD). The vulnerability was discovered and disclosed on December 30, 2024, affecting the access control mechanism of the TeamPass password management system.

The vulnerability is classified as an Incorrect Privilege Assignment issue (CWE-266) with a CVSS v3.1 base score of 4.3 (Medium). The vulnerability exists in the folder access rights verification process, where the application fails to properly validate whether a folder is in the user's allowed folders list as defined by the administrator (MITRE).

This vulnerability could allow an authenticated user with limited privileges to gain unauthorized access to folders that should be restricted based on administrator-defined permissions. This could potentially lead to unauthorized access to sensitive information stored in these folders.

The vulnerability has been fixed in TeamPass version 3.1.3.1. Users should upgrade to this version or later to address the security issue. The fix includes proper validation of user's allowed folders list when checking folder access rights (TeamPass Commit).