CVE-2024-47768

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47768
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47768.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47768
Aliases
  • GHSA-hmv6-8fg8-7m6f
Published
2024-10-04T15:15:13Z
Modified
2024-11-13T16:45:28.528407Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.

References

Affected packages

Git / github.com/lif-platforms/lif-auth-server

Affected ranges

Type
GIT
Repo
https://github.com/lif-platforms/lif-auth-server
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
8dbd7cad914a8b939451c652bfb716aa796f754e

Affected versions

1.*

1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.4.1
1.4.2
1.4.3
1.5.0
1.5.1
1.6.0
1.6.1
1.7.0
1.7.1
1.7.2