CVE Vulnerabilities

CVE-2024-12776

Authentication Bypass by Primary Weakness

Published: Mar 20, 2025 | Modified: Mar 20, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.

Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

References