CVE-2023-40260

EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about "some unknown processing of the component Multi-Factor Authentication Code Handler" and thus cannot be correlated with other vulnerability information.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://nvd.nist.gov/vuln/detail/CVE-2023-40260
https://seclists.org/fulldisclosure/2023/Aug/3	Mailing List Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:empowerid:empowerid:*:*:*:*:*:*:*:*

History

20 Sep 2023, 21:15

Type	Values Removed	Values Added
References		(MISC) https://nvd.nist.gov/vuln/detail/CVE-2023-40260 -

22 Aug 2023, 20:38

Type	Values Removed	Values Added
CPE		cpe:2.3:a:empowerid:empowerid::::::::
CWE		CWE-287
First Time		Empowerid Empowerid empowerid
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.1
References	~~(MISC) https://seclists.org/fulldisclosure/2023/Aug/3 -~~	(MISC) https://seclists.org/fulldisclosure/2023/Aug/3 - Mailing List, Third Party Advisory

11 Aug 2023, 06:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-08-11 06:15

Updated : 2024-02-28 20:33

NVD link : CVE-2023-40260

Mitre link : CVE-2023-40260

CVE.ORG link : CVE-2023-40260

JSON object : View

Products Affected

empowerid

empowerid

CWE

CWE-287

Improper Authentication

{"id": "CVE-2023-40260", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2023-08-11T06:15:10.787", "references": [{"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260", "source": "cve@mitre.org"}, {"url": "https://seclists.org/fulldisclosure/2023/Aug/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about \"some unknown processing of the component Multi-Factor Authentication Code Handler\" and thus cannot be correlated with other vulnerability information."}, {"lang": "es", "value": "EmpowerID antes de 7.205.0.1 permite a un atacante saltarse un requisito MFA (autenticaci\u00f3n multifactor) si se conoce el primer factor (nombre de usuario y contrase\u00f1a), porque el primer factor es suficiente para cambiar la direcci\u00f3n de correo electr\u00f3nico de una cuenta, y el producto enviar\u00eda entonces c\u00f3digos MFA a la nueva direcci\u00f3n de correo electr\u00f3nico (que puede estar controlada por el atacante). NOTA: esto es diferente de CVE-2023-4177, que dice referirse a \"alg\u00fan procesamiento desconocido del componente Multi-Factor Authentication Code Handler\" y, por tanto, no puede correlacionarse con otra informaci\u00f3n sobre vulnerabilidades."}], "lastModified": "2023-09-20T21:15:11.697", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:empowerid:empowerid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65844B44-B3A0-43C0-9627-7FBECC672C45", "versionEndExcluding": "7.205.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}