CVE-2024-24769
Vantage6: No limit on emails sent for password/MFA reset
Description
### Impact Users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. ### Patches No ### Workarounds No
How to fix CVE-2024-24769
To remediate CVE-2024-24769, upgrade the affected package to a fixed version below.
- PyPI/vantage6—upgrade to 5.0.0 or later
Is CVE-2024-24769 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2024-24769.
Affected packages (1)
- from 0, < 5.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |