CVE-2024-24771

MEDIUM EPSS 44.2%
Published Feb 7, 20242y ago · Modified Jun 17, 20262w ago
5.9 CVSS 3.1
Medium
Find Similar
Published Feb 7, 2024 2y ago
Last Modified Jun 17, 2026 2w ago

Description

Open Forms allows users create and publish smart forms. Versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain a non-exploitable multi-factor authentication weakness. Superusers who have their credentials (username + password) compromised could potentially have the second-factor authentication bypassed if an attacker somehow managed to authenticate to Open Forms. The maintainers of Open Forms do not believe it is or has been possible to perform this login. However, if this were possible, the victim's account may be abused to view (potentially sensitive) submission data or have been used to impersonate other staff accounts to view and/or modify data. Three mitigating factors to help prevent exploitation include: the usual login page (at `/admin/login/`) does not fully log in the user until the second factor was succesfully provided; the additional non-MFA protected login page at `/api/v2/api-authlogin/` was misconfigured and could not be used to log in; and there are no additional ways to log in. This also requires credentials of a superuser to be compromised to be exploitable. Versions 2.2.9, 2.3.7, 2.4.5, and 2.5.2 contain the following patches to address these weaknesses: Move and only enable the API auth endpoints (`/api/v2/api-auth/login/`) with `settings.DEBUG = True`. `settings.DEBUG = True` is insecure and should never be applied in production settings. Additionally, apply a custom permission check to the hijack flow to only allow second-factor-verified superusers to perform user hijacking.

CVSS Details

Base Score
5.9
Exploitability
0.7
Impact
5.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity High
Privileges Required High
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability None

Threat Intelligence

EPSS Exploit Probability
44.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 3

CWE-284
CWE-287 Improper Authentication Authentication
CWE-654

Affected Products 4

VendorProductVersionRange
maykinmediaopen_forms* <2.2.9
maykinmediaopen_forms*≥2.3.0  –  <2.3.7
maykinmediaopen_forms*≥2.4.0  –  <2.4.5
maykinmediaopen_forms*≥2.5.0  –  <2.5.2

References 5

  • github.com https://github.com/open-formulieren/open-forms/releases/tag/2.2.9
    Release Notes
  • github.com https://github.com/open-formulieren/open-forms/releases/tag/2.3.7
    Release Notes
  • github.com https://github.com/open-formulieren/open-forms/releases/tag/2.4.5
    Release Notes
  • github.com https://github.com/open-formulieren/open-forms/releases/tag/2.5.2
    Release Notes
  • github.com https://github.com/open-formulieren/open-forms/security/advisories/GHSA-64r3-x3gf-vp63
    MitigationVendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.