Password Reset Vulnerability in langgenius/dify by LangGenius
CVE-2024-12039
7.4HIGH
Summary
The langgenius/dify version v0.10.1 is susceptible to a security flaw that permits unauthenticated attackers to exploit the password reset mechanism. This vulnerability arises from the absence of restrictions on the number of attempts allowed for guessing the six-digit code used in the reset process. Consequently, attackers can potentially gain unauthorized access to owner, admin, or other user accounts, leading to the complete compromise of the application in a short timeframe.
Affected Version(s)
langgenius/dify <= unspecified
References
CVSS V3.0
Score:
7.4
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved