Superior126

**Name of the Vulnerable Software and Affected Versions** Lif Authentication Server versions prior to 1.7.3 **Description** The issue is related to the account recovery system of the Lif Authentication Server, where there is no check to ensure the user has received the recovery email and entered the correct code. An attacker who knows the target's email can supply the email and prompt the server to update the password without needing the code. **Recommendations** For versions prior to 1.7.3, update to version 1.7.3 to resolve the issue. As a temporary workaround, consider restricting access to the account recovery system until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Ringer server versions prior to 1.3.1 **Description** The issue concerns the messages loading route in the Ringer server, where it fails to verify if the user loading a conversation is actually a member of that conversation. This allows any user with a Lif Account to load any conversation between two users without permission. The problem was solved in version 1.3.1. **Recommendations** For versions prior to 1.3.1, update to version 1.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the messages loading route until the patch is applied.

**Name of the Vulnerable Software and Affected Versions** Lif Auth Server versions prior to 1.4.0 **Description** The issue relates to the `get pfp` and `get banner` routes on Auth Server, where there is no check to ensure that the file received through these URLs is correct. This could allow an attacker access to files they shouldn't have access to. **Recommendations** For versions prior to 1.4.0, update to version 1.4.0 to resolve the issue. As a temporary workaround, consider restricting access to the `get pfp` and `get banner` routes until the update is applied.