CVE-2024-12039

Name of the Vulnerable Software and Affected Versions langgenius/dify version v0.10.1

Description The issue arises from the lack of limits on the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.

Recommendations For version v0.10.1, consider implementing rate limiting on password reset code guess attempts to prevent brute-force attacks. As a temporary workaround, restrict access to the password reset functionality until a patch is available.