PT-2023-14628 · Unknown · Livebox Collaboration Vdesk
Massimiliano Brolli
·
Published
2023-04-14
·
Updated
2023-04-19
·
CVE-2022-45173
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LIVEBOX Collaboration vDesk versions vDesk through v018
Description
An issue allows a Bypass of Two-Factor Authentication under the "/api/v1/vdeskintegration/challenge" endpoint. Since only the client-side verifies whether a check was successful, an attacker can modify the response and fool the application into concluding that the TOTP was correct.
Recommendations
For versions vDesk through v018, as a temporary workaround, consider restricting access to the "/api/v1/vdeskintegration/challenge" endpoint until a patch is available. Additionally, ensure that server-side verification of the TOTP is implemented to prevent bypassing of Two-Factor Authentication.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Livebox Collaboration Vdesk