CVE-2022-45168

Name of the Vulnerable Software and Affected Versions LIVEBOX Collaboration vDesk versions through v018

Description An issue allows a Bypass of Two-Factor Authentication under the "/login/backup code" endpoint and the "/api/v1/vdeskintegration/createbackupcodes" endpoint. This occurs because the application permits a user to generate or regenerate the backup codes before checking the TOTP.

Recommendations For versions through v018, as a temporary workaround, consider restricting access to the "/login/backup code" and "/api/v1/vdeskintegration/createbackupcodes" endpoints until a patch is available. Additionally, avoid using the backup code generation or regeneration feature in these versions to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.