PT-2020-12392 · Oklok+1 · Oklok+1

Published

2020-05-04

Updated

2020-05-15

CVE-2020-10876

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions OKLOK version 3.1.1 Fingerprint Bluetooth Padlock FB50 version 2.3

Description The issue arises from the incorrect implementation of the timeout on the four-digit verification code required for resetting passwords, and the lack of proper restriction on excessive verification attempts. This allows an attacker to brute force the four-digit verification code, bypass email verification, and change the password of a victim account.

Recommendations For OKLOK version 3.1.1, consider implementing a proper timeout on the four-digit verification code and restrict excessive verification attempts to prevent brute force attacks. For Fingerprint Bluetooth Padlock FB50 version 2.3, restrict access to the password reset feature until a proper fix is implemented to prevent unauthorized password changes. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Improper Restriction of Excessive Authentication Attempts

Insufficient Session Expiration

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-307CWE-613

Related Identifiers

CVE-2020-10876

Affected Products

Fingerprint Bluetooth Padlock Fb50

Oklok

PT-2020-12392 · Oklok+1 · Oklok+1

CVE-2020-10876

Weakness Enumeration

Related Identifiers

Affected Products

References · 5