| CVE ID | CVE-2024-2463 |
| Publication date | 21 March 2024 |
| Vendor | CDeX PSA |
| Product | CDeX |
| Vulnerable versions | through 5.71 |
| Vulnerability type (CWE) | Weak Password Recovery Mechanism for Forgotten Password (CWE-640) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-2464 |
| Publication date | 21 March 2024 |
| Vendor | CDeX PSA |
| Product | CDeX |
| Vulnerable versions | through 5.71 |
| Vulnerability type (CWE) | Observable Discrepancy (CWE-203) |
| Report source | Report to CERT Polska |
| CVE ID | CVE-2024-2465 |
| Publication date | 21 March 2024 |
| Vendor | CDeX PSA |
| Product | CDeX |
| Vulnerable versions | through 5.71 |
| Vulnerability type (CWE) | URL Redirection to Untrusted Site ('Open Redirect') (CWE-601) |
| Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in CDeX software and participated in coordination of their disclosure.
The vulnerability CVE-2024-2463 is weak password recovery mechanism, that allows to retrieve password reset token.
The vulnerability CVE-2024-2464 allows application users enumeration. This issue occurs during password recovery, where a difference in messages could allow an attacker to determine if the user is valid or not, enabling a brute force attack with valid users.
The vulnerability CVE-2024-2465 allows to redirect users to arbitrary websites via a specially crafted URL.
The vendor has confirmed removing vulnerabilities in the versions newer than 5.7.1.
Credits
We thank Michał Walkowski, PhD for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.