Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-2651: Email Verification Bypass Leads To Account Takeover in bookwyrm

Authentication Bypass by Primary Weakness in GitHub repository bookwyrm-social/bookwyrm prior to 0.4.5.

CVE
Open in Source
#git#auth
  1. Hello maintainer, i noticed that there is no ratelimit protetcion on https://book.dansmonorage.blue/confirm-email endpoint, so we can perform bruteforce attack

Steps to reproduce:

  1. Create a acount with victims email id
  2. When the account is created, its ask for email confirmation via validating OTP on https://book.dansmonorage.blue/confirm-email
  3. Enter any random OTP and try to perfrom bruteforce attack

Patch recommendation:

  1. Add ratelimit protecion on POST confirmation email endpoints/parameters

Impact

  1. Pre-Account Takeover

Related news

Bookwyrm 0.4.3 Authentication Bypass

Bookwyrm versions 0.4.3 and below suffer from an authentication bypass vulnerability due to a lack of rate limiting on OTP checks.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE