HIGH🇵🇱 Wersja polska

CVE-2024-51557

CVSS 7.1v4.0pub. 2024-11-04upd. 2024-11-08

This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • 63moons Aero

    APP
    63Moons
    < 120820241550
  • 63moons Wave 2.0

    APP
    63Moons
    < 1.1.7
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-51558CRITICAL9.3PL ✓ten sam produkt

Brak ograniczeń liczby prób logowania w Wave 2.0 (brute force)

CVE-2024-51561CRITICAL9.3PL ✓ten sam produkt

Obejście weryfikacji OTP w produktach 63Moons Aero i Wave 2.0

CVE-2024-51556HIGH7.1ten sam produkt

This vulnerability exists in the Wave 2.0 due to insufficient encryption of sensitive data received at the API...

CVE-2024-51559HIGH7.1ten sam produkt

This vulnerability exists in the Wave 2.0 due to improper authorization checks on certain API endpoints. An au...

CVE-2024-51560HIGH7.1ten sam produkt

This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API...