CVE-2024-50702: 
PHP vulnerability analysis and mitigation

TeamPass before version 3.1.3.1 contains a privilege escalation vulnerability (CVE-2024-50702) discovered on December 30, 2024. The vulnerability exists because the application does not properly check whether a mailme (also known as actionmail) operation is being performed on behalf of an administrator or manager (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. The issue is classified as CWE-266 (Incorrect Privilege Assignment). The vulnerability stems from insufficient permission checks in the mail handling functionality, allowing users to perform mail operations without proper authorization verification (NVD).

This vulnerability could allow an authenticated user with lower privileges to perform mail operations that should be restricted to administrators or managers. This could lead to unauthorized access to mail functionality and potential privilege escalation (NVD).

The vulnerability has been fixed in TeamPass version 3.1.3.1. Users are recommended to upgrade to this version or later. The fix includes proper permission checks for mail operations to ensure they are only performed by authorized administrators or managers (GitHub Commit).