CVE-2023-49706

Name of the Vulnerable Software and Affected Versions LinOTP versions 3.x before 3.2.5

Description Defective request context handling in Self Service allows remote unauthenticated attackers to escalate privileges, thereby allowing them to act as and with the permissions of another user. Attackers must generate repeated API requests to trigger a race condition with concurrent user activity in the self-service portal.

Recommendations For versions prior to 3.2.5, update to version 3.2.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the self-service portal to minimize the risk of exploitation.