CVE-2024-47768

Oct. 7, 2024, 5:48 p.m.

None
No Score

Description

Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.

Product(s) Impacted

Product Versions
Lif Authentication Server
  • ['1.7.3']

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-287
Improper Authentication
When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References

https://github.com/Lif-Platforms/Lif-Auth-Server/commit/8dbd7cad914a8b939451c652bfb716aa796f754e
https://github.com/Lif-Platforms/Lif-Auth-Server/security/advisories/GHSA-hmv6-8fg8-7m6f

Tags

security-advisories@github.com
CWE-287
2024-10-04
CVE-2024-47768

Timeline

Published: Oct. 4, 2024, 3:15 p.m.
Last Modified: Oct. 7, 2024, 5:48 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.