CVE-2024-12776

Name of the Vulnerable Software and Affected Versions langgenius/dify version 0.10.1

Description The issue concerns the /forgot-password/resets endpoint, which does not verify the password reset code. This allows an attacker to reset the password of any user, including administrators, potentially leading to a complete compromise of the application.

Recommendations For langgenius/dify version 0.10.1, consider disabling the /forgot-password/resets endpoint until a patch is available to prevent unauthorized password resets. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the password reset functionality in the affected endpoint until the issue is resolved.