Non-Exploitable Multi-Factor Authentication Weakness in Open Forms Prior to Versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2
CVE-2024-24771

7.7HIGH

Key Information:

Vendor

Open-formulieren

Status
Open-forms
Vendor
CVE Published:
7 February 2024

What is CVE-2024-24771?

Open Forms allows users to create and publish smart forms. Certain versions have a non-exploitable weakness related to multi-factor authentication. If a superuser's credentials are compromised, an attacker may bypass the second-factor authentication under specific conditions, potentially allowing access to sensitive submission data or impersonating other staff accounts. This vulnerability presumes that a superuser's login credentials are stolen, and certain mitigations are in effect to restrict exploitation. Patches have been issued in versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 to address these concerns, which include relocating API authentication endpoints and implementing stricter permission checks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

open-forms < 2.2.9 < 2.2.9

open-forms >= 2.3.0-alpha.0, < 2.3.7 < 2.3.0-alpha.0, 2.3.7

open-forms >= 2.4.0-alpha.0, < 2.4.4 < 2.4.0-alpha.0, 2.4.4

References

https://github.com/open-formulieren/open-forms/security/a...
x_refsource_CONFIRM
https://github.com/open-formulieren/open-forms/releases/t...
x_refsource_MISC
https://github.com/open-formulieren/open-forms/releases/t...
x_refsource_MISC

CVSS V3.1

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.