CVE-2024-46937

Published: Sep 16, 2024Modified: Oct 24, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.

Affected (1)

Products: Mfasoft: Secure Authentication Server

1 product

Secure Authentication Server

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Mfasoft Secure Authentication Server	From 1.8.0 to 1.9.040924

Related CWEs

Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

References (2)

https://github.com/WI1D-41/IDOR-in-MFASOFT-Secure-Authentication-Server

Source: cve@mitre.org

Third Party Advisory

https://mfasoft.ru

Source: cve@mitre.org

Product

Timeline

No history available yet.