CVE-2024-24771

Name of the Vulnerable Software and Affected Versions Open Forms versions prior to 2.2.9 Open Forms versions prior to 2.3.7 Open Forms versions prior to 2.4.5 Open Forms versions prior to 2.5.2

Description Open Forms allows users to create and publish smart forms. The software contains a non-exploitable multi-factor authentication weakness. If an attacker manages to authenticate to Open Forms and compromises a superuser's credentials (username + password), they could potentially bypass the second-factor authentication. This could allow the attacker to view potentially sensitive submission data or impersonate other staff accounts to view and/or modify data. There are mitigating factors, including the usual login page at "/admin/login/" requiring the second factor to be successfully provided, a misconfigured non-MFA protected login page at "/api/v2/api-authlogin/" that cannot be used to log in, and no additional ways to log in. The maintainers of Open Forms do not believe it is or has been possible to perform this login.

Recommendations For versions prior to 2.2.9, update to version 2.2.9 or later. For versions prior to 2.3.7, update to version 2.3.7 or later. For versions prior to 2.4.5, update to version 2.4.5 or later. For versions prior to 2.5.2, update to version 2.5.2 or later. As a temporary workaround, consider restricting access to the API auth endpoints (/api/v2/api-auth/login/) and apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking.