CVE-2024-46937

Summary

CVE-2024-46937 is an improper access control vulnerability found in MFASOFT Secure Authentication Server (SAS) versions 1.8.x through 1.9.x prior to 1.9.040924, which allows remote attackers to access user tokens without authentication via the /api-selfportal/get-info-token-properties endpoint through brute-force attacks on the serial parameter. This vulnerability poses a critical risk, with a base score of 9.1, indicating high potential impacts on both confidentiality and integrity, while requiring no privileges or user interaction for exploitation. Organizations using affected versions are advised to upgrade to version 1.9.040924 or later to mitigate the risk associated with this vulnerability. The attack vector is network-based, and its low attack complexity increases the likelihood of exploitation by malicious actors. For more details, refer to the advisory available at GitHub.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.