Vulnerabilities > CVE-2024-46937 - Authorization Bypass Through User-Controlled Key vulnerability in Mfasoft Secure Authentication Server

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

network

low complexity

mfasoft

CWE-639

NVD

Published: 2024-09-16

Updated: 2024-10-24

Summary

An improper access control (IDOR) vulnerability in the /api-selfportal/get-info-token-properties endpoint in MFASOFT Secure Authentication Server (SAS) 1.8.x through 1.9.x before 1.9.040924 allows remote attackers gain access to user tokens without authentication. The is a brute-force attack on the serial parameter by number identifier: GA00001, GA00002, GA00003, etc.

Vulnerable Configurations

Part	Description	Count
Application	Mfasoft Mfasoft Secure Authentication Server *	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://mfasoft.ru
https://github.com/WI1D-41/IDOR-in-MFASOFT-Secure-Authentication-Server