CVE-2024-12776

Summary

In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.

Affected Software

VendorProductVersion RangeStatus
langgeniuslanggenius/difyunspecified <= latestaffected

Weaknesses

  • CWE-305: CWE-305 Authentication Bypass by Primary Weakness

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References