CVE-2023-40260

CRITICAL Year: 2023
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-287
View all →

Vulnerability Description

EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about "some unknown processing of the component Multi-Factor Authentication Code Handler" and thus cannot be correlated with other vulnerability information.

Related Vulnerabilities

CVE-2007-1966

CRITICAL
CVSS:9.1(Critical)

Session fixation vulnerability in eXV2 CMS 2.0.4.3 and earlier allows remote attackers to hijack web sessions by setting the PHPSESSID cookie.

CWE-2872007

CVE-2008-3738

CRITICAL
CVSS:9.1(Critical)

Session fixation vulnerability in SpaceTag LacoodaST 2.1.3 and earlier allows remote attackers to hijack web sessions via unspecified vectors.

CWE-2872008

CVE-2013-4454

CRITICAL
CVSS:9.1(Critical)

WordPress Portable phpMyAdmin Plugin 1.4.1 has Multiple Security Bypass Vulnerabilities

CWE-2872013

CVE-2013-4462

CRITICAL
CVSS:9.1(Critical)

WordPress Portable phpMyAdmin Plugin has an authentication bypass vulnerability

CWE-2872013

CVE-2014-4198

CRITICAL
CVSS:9.1(Critical)

A Two-Factor Authentication Bypass Vulnerability exists in BS-Client Private Client 2.4 and 2.5 via an XML request that neglects the use of ADPswID and AD parameters, which could let a malicious user ...

CWE-2872014

CVE-2016-4432

CRITICAL
CVSS:9.1(Critical)

The AMQP 0-8, 0-9, 0-91, and 0-10 connection handling in Apache Qpid Java before 6.0.3 might allow remote attackers to bypass authentication and consequently perform actions via vectors related to con...

CWE-2872016