CVE-2024-46937

Name of the Vulnerable Software and Affected Versions MFASOFT Secure Authentication Server (SAS) versions 1.8.x through 1.9.x before 1.9.040924

Description An improper access control vulnerability in the "/api-selfportal/get-info-token-properties" endpoint allows remote attackers to gain access to user tokens without authentication. This can be achieved through a brute-force attack on the serial parameter by number identifier.

Recommendations For MFASOFT Secure Authentication Server (SAS) versions 1.8.x through 1.9.x before 1.9.040924, consider disabling access to the "/api-selfportal/get-info-token-properties" endpoint until a patch is available. As a temporary workaround, restrict the use of the serial parameter to minimize the risk of exploitation. Update to version 1.9.040924 or later to resolve the issue.