CVE-2024-47768 MEDIUM

CVE-2024-47768: Lif Authentication Server Has No Auth Check When Updating Password In Account Recovery

Vendor Lif-Platforms
Product Lif-Auth-Server
Weakness CWE-287 · Improper authentication
Published October 4, 2024
Last update October 4, 2024

CVSS base score

6.9/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.

Key dates

02Disclosure timeline

October 4, 2024 CVE published
October 4, 2024 Record updated