CVE-2024-24771

CVSS 3.1 Score 5.9 of 10 (medium)

Details

Published Feb 7, 2024
Updated: Feb 15, 2024
CWE ID 287
CWE ID 284
CWE ID 654

Summary

CVE-2024-24771 is a vulnerability affecting Open Forms, an application used to create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers with compromised credentials have the potential for second-factor authentication bypass, allowing unauthorized access to accounts. This could result in sensitive data being viewed or impersonation of other staff accounts for further data manipulation. However, the maintainers of Open Forms believe that this exploit is unlikely as the usual login page requires full user authentication and an additional misconfigured login page was not functional. Patches have been released for versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 to address these weaknesses, including enabling API auth endpoints only with `settings.DEBUG = True` and applying a custom permission check to the hijack flow. It's important to note that `settings.DEBUG = True` should never be applied in production settings.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share

Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-24771 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions

Book your demo

Sign in

Back to Vulnerability Database