CVE-2024-47768

Lif Authentication Server Has No Auth Check When Updating Password In Account Recovery

Description

Lif Authentication Server is a server used by Lif to do various tasks regarding Lif accounts. This vulnerability has to do with the account recovery system where there does not appear to be a check to make sure the user has been sent the recovery email and entered the correct code. If the attacker knew the email of the target, they could supply the email and immediately prompt the server to update the password without ever needing the code. This issue has been patched in version 1.7.3.

Categories

6.9
CVSS
Severity: Medium
CVSS 4.0 •
CVSS 3.1 •
EPSS 0.11%
Vendor Advisory github.com
Affected: Lif-Platforms Lif-Auth-Server
Published at:
Updated at:

References

Link Tags
https://github.com/Lif-Platforms/Lif-Auth-Server/security/advisories/GHSA-hmv6-8fg8-7m6f vendor advisory
https://github.com/Lif-Platforms/Lif-Auth-Server/commit/8dbd7cad914a8b939451c652bfb716aa796f754e patch

Frequently Asked Questions

What is the severity of CVE-2024-47768?
CVE-2024-47768 has been scored as a medium severity vulnerability.
How to fix CVE-2024-47768?
To fix CVE-2024-47768, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-47768 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-47768 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-47768?
CVE-2024-47768 affects Lif-Platforms Lif-Auth-Server.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.