Authentication Bypass in CGFIDO from Changing Information Technology
CVE-2024-12839

8.8HIGH

Key Information:

Vendor: Changing Information Technology
Status: Cgfido
Vendor: CVE Published:; 31 December 2024

Summary

The CGFIDO product from Changing Information Technology has a vulnerability in its device authentication mechanism that allows an unauthenticated remote attacker to bypass authentication. This occurs when a user visits a malicious website, which prompts the agent program on their device to transmit an authentication signature. If an attacker acquires this signature, they can gain unauthorized access to the system utilizing any device, posing serious risks to user security and data integrity.

Affected Version(s)

CGFIDO 0 < 1.2.1

References

https://www.twcert.org.tw/tw/cp-132-8334-8b836-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-8335-e4a3f-2.html

third-party-advisory

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 31, 2024