5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-50703

GHSA ID

GHSA-9wmc-988h-2mv2

EPSS Score

0.2146%

CWE

CWE-472

Published

12/30/2024

Updated

12/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-50703

CVE-2024-50703: TeamPass privileges issue

TeamPass before 3.1.3.1 does not properly prevent a user from acting with the privileges of a different user_id.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-50703

CVE-2024-50703:

5.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-50703

GHSA ID

GHSA-9wmc-988h-2mv2

EPSS Score

0.2146%

CWE

CWE-472

Published

12/30/2024

Updated

12/30/2024

KEV Status

Technology

PHP

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nilsteampassnet/teampass	composer	< 3.1.3.1	3.1.3.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from two key issues: 1) The frontend sent user identifiers as 'id' which was later standardized to 'user_id', but more critically 2) The backend in users.queries.php lacked proper authorization checks when handling these parameters. The patch adds multiple security layers: a) Centralized parameter validation, b) User privilege checks, and c) Forced user_id overriding for non-admins. The vulnerable functions are the various case handlers that previously accepted user-controlled IDs without verifying if the requester had rights to modify the target user. The CWEs (472/639) directly map to these patterns of unvalidated parameter usage and authorization bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

5.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-50703: TeamPass privileges issue

CVE-2024-50703:

5.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

5.4

5.4

Technical Details

CVE-2024-50703: TeamPass privileges issue

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI