CVE-2024-12838

Summary

The passwordless login mechanism in CGFIDO from Changing Information Technology has an Authentication Bypass vulnerability, allowing remote attackers with regular privileges to send a crafted request to switch to the identity of any user, including administrators.

Affected Software

VendorProductVersion RangeStatus
Changing Information TechnologyCGFIDO0.0.1 < 1.1.0affected

Weaknesses

  • CWE-302: CWE-302 Authentication Bypass by Assumed-Immutable Data

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References