Описание
In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.
Ссылки
- ExploitThird Party Advisory
Уязвимые конфигурации
Конфигурация 1
cpe:2.3:a:langgenius:dify:0.10.1:*:*:*:*:node.js:*:*
EPSS
Процентиль: 37%
0.00164
Низкий
8.1 High
CVSS3
Дефекты
CWE-305
Связанные уязвимости
CVSS3: 8.1
github
11 месяцев назад
In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.
EPSS
Процентиль: 37%
0.00164
Низкий
8.1 High
CVSS3
Дефекты
CWE-305