Authentication Bypass Vulnerability in CGFIDO from Changing Information Technology
CVE-2024-12838

8.8HIGH

Key Information:

Vendor: Changing Information Technology
Status: Cgfido
Vendor: CVE Published:; 31 December 2024

Summary

The passwordless login mechanism in CGFIDO from Changing Information Technology has a significant flaw that permits an Authentication Bypass. This vulnerability enables remote attackers to strategically craft requests that can allow them to impersonate any user within the system, including users with administrative privileges. The implications of this vulnerability can undermine the overall integrity and security of user accounts, making it critical for organizations utilizing this product to address the flaw promptly to safeguard user data and system access.

Affected Version(s)

CGFIDO 0.0.1 < 1.1.0

References

https://www.twcert.org.tw/tw/cp-132-8332-2100f-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-8333-32cf8-2.html

third-party-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 31, 2024