CVE-2024-24771

CVSS 3.1 Score 5.9 of 10 (medium)

Details

Published Feb 7, 2024
Updated: Feb 15, 2024
CWE ID 284
CWE ID 287
CWE ID 654

Summary

CVE-2024-24771 is a vulnerability found in Open Forms, a software that allows users to create and publish smart forms. The affected versions are prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2. The vulnerability involves a non-exploitable weakness in multi-factor authentication (MFA). If superusers' credentials are compromised, the second-factor authentication could potentially be bypassed if an attacker manages to authenticate to Open Forms. Although the maintainers of Open Forms believe this login is not possible, if successful, the attacker could abuse the victim's account to view sensitive submission data or impersonate other staff accounts for unauthorized access or modification of data. To mitigate exploitation, three factors help prevent it: the main login page does not fully log in until the second factor is provided; a misconfigured additional login page cannot be used; and there are no other known ways of bypassing MFA on Open Forms.

Affected Products: urPus1, urPus0, urPus3, urPus2, urPusx, urPusw, urPusz, urPusy, urPus9, urPus8, urPus_, urPus-, and many more.

Remediation steps: Update Open Forms to version 2.2.9 if using versions prior to it.

Potential Danger: The vulnerability poses a medium risk with a base score of 5.9 out of 10 according to NVD analysis. It requires high privileges and can only be exploited over the network with no user interaction required. The impact on integrity and confidentiality is high but availability is not impacted directly by this vulnerability according to the CVSS vector string (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N).

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-24771 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options