CVE-2022-45174

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions through v018

Description An issue allows a Bypass of Two-Factor Authentication for SAML Users. This can occur under the "/login/backup code" endpoint and the "/api/v1/vdeskintegration/challenge" endpoint. The correctness of the TOTP is not checked properly and can be bypassed by passing any string as the backup code.

Recommendations For versions through v018, as a temporary workaround, consider restricting access to the "/login/backup code" and "/api/v1/vdeskintegration/challenge" endpoints until a patch is available. Avoid using the backup code parameter in these affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.