CVE-2024-24770

Name of the Vulnerable Software and Affected Versions vantage6 (affected versions not specified)

Description The issue allows attackers to determine which usernames exist in vantage6 by calling the API routes "/recover/lost" and "/2fa/lost", which send emails to users if they have lost their password or MFA token. Usernames can be found by assessing response time differences, and additionally, they can be found because the endpoint gives a response "Failed to login" if the username exists. This could aid attackers in credential attacks.

Recommendations As a temporary workaround, consider restricting access to the API routes "/recover/lost" and "/2fa/lost" until a patch is available. Upgrade to a new release as soon as it is available, as the issue has been addressed in commit aecfd6d0e and is expected to ship in subsequent releases.