Headline
CVE-2023-46754: Release v1.1.2: URGENT SECURITY PATCH · obl-ong/admin
The admin panel for Obl.ong before 1.1.2 allows authorization bypass because the email OTP feature accepts arbitrary numerical values.
This release contains an urgent security patch for email OTP login.
On previous versions, any actor could log into any account with email OTP enabled by entering any number into the OTP field after requesting an email.
We thank zinc for reporting this issue.
Administrators: update your version of Obl.ong immediately.
Lastly, email OTPs now only get sent if the code has expired, or you manually hit resend - cutting down on SMTP costs.