CVE-2024-50356

Name of the Vulnerable Software and Affected Versions: Press versions prior to the version containing commit ba0007c28ac814260f836849bc07d29beea7deb6

Description: The issue concerns a password reset vulnerability in Press, a custom app for Frappe Cloud that manages various services including infrastructure, subscription, and software-as-a-service (SaaS). This vulnerability allows anyone with access to a user's mail inbox to reset the password, effectively circumventing two-factor authentication (2FA). However, it's noted that even if the password is reset, the attacker would still be unable to log in if 2FA is enabled. Only users who have 2FA enabled are affected by this issue.

Recommendations: For versions prior to the one containing commit ba0007c28ac814260f836849bc07d29beea7deb6, update to a version that includes this commit to resolve the issue. As a temporary workaround, consider restricting access to email inboxes associated with accounts that have 2FA enabled to minimize the risk of password reset exploitation.