CVE-2024-12039

HIGH Year: 2024
CVSS v3 Score
7.4
High
Weakness Type
CWE-307
View all →

Vulnerability Description

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.

Related Vulnerabilities

CVE-2024-39398

HIGH
CVSS:7.4(High)

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9 and earlier are affected by an Improper Restriction of Excessive Authentication Attempts vulnerability that could result in a security fe...

CWE-3072024

CVE-1999-1152

HIGH
CVSS:7.5(High)

Compaq/Microcom 6000 Access Integrator does not disconnect a client after a certain number of failed login attempts, which allows remote attackers to guess usernames or passwords via a brute force att...

CWE-3071999

CVE-2002-0628

HIGH
CVSS:7.5(High)

The Telnet service for Polycom ViewStation before 7.2.4 does not restrict the number of failed login attempts, which makes it easier for remote attackers to guess usernames and passwords via a brute f...

CWE-3072002

CVE-2013-1895

HIGH
CVSS:7.5(High)

The py-bcrypt module before 0.3 for Python does not properly handle concurrent memory access, which allows attackers to bypass authentication via multiple authentication requests, which trigger the pa...

CWE-3072013

CVE-2013-2257

HIGH
CVSS:7.5(High)

Cryptocat before 2.0.42 has Group Chat ECC Private Key Generation Brute Force Weakness

CWE-3072013

CVE-2015-20110

HIGH
CVSS:7.5(High)

JHipster generator-jhipster before 2.23.0 allows a timing attack against validateToken due to a string comparison that stops at the first character that is different. Attackers can guess tokens by bru...

CWE-3072015