CVE-2024-24771

Summary

CVE-2024-24771 is a vulnerability affecting Open Forms, an application used to create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers with compromised credentials have the potential for second-factor authentication bypass, allowing unauthorized access to accounts. This could result in sensitive data being viewed or impersonation of other staff accounts for further data manipulation. However, the maintainers of Open Forms believe that this exploit is unlikely as the usual login page requires full user authentication and an additional misconfigured login page was not functional. Patches have been released for versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 to address these weaknesses, including enabling API auth endpoints only with `settings.DEBUG = True` and applying a custom permission check to the hijack flow. It's important to note that `settings.DEBUG = True` should never be applied in production settings.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.