CRITICAL🇵🇱 Wersja polska

CVE-2024-41276

CVSS 9.8v3.1pub. 2024-10-01upd. 2026-04-15

A vulnerability in Kaiten version 57.131.12 and earlier allows attackers to bypass the PIN code authentication mechanism. The application requires users to input a 6-digit PIN code sent to their email for authorization after entering their login credentials. However, the request limiting mechanism can be easily bypassed, enabling attackers to perform a brute force attack to guess the correct PIN and gain unauthorized access to the application.

🤖 AI Analysis
How it works

The Kaiten application requires users to provide a 6-digit PIN code sent to their email address as a second authentication stage after providing login credentials. However, the mechanism limiting the number of attempts (rate limiting) is vulnerable to bypass, allowing an attacker to perform a brute force attack on a space of only 1,000,000 possible combinations. As a result, an attacker can iterate through all possible PIN codes without obstruction until finding the correct one. The vulnerability is classified as CWE-307 (Improper Restriction of Excessive Authentication Attempts).

Impact

An attacker who knows or obtains user login credentials (username and password) can completely bypass the second authentication stage and gain unauthorized access to an account in the Kaiten application, resulting in a breach of confidentiality, integrity, and data availability.

Mitigation & patch

Apply patches available from the vendor according to the references. It is recommended to update Kaiten to a version newer than 57.131.12 and verify the effectiveness of the rate limiting mechanism for the PIN code verification endpoint.

Who is affected

Kaiten version 57.131.12 and earlier.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References