CRITICAL🇵🇱 Wersja polska

CVE-2024-26520

CVSS 9.8v3.1pub. 2024-07-26upd. 2026-04-15

An issue in Hangzhou Xiongwei Technology Development Co., Ltd. Restaurant Digital Comprehensive Management platform v1 allows an attacker to bypass authentication and perform arbitrary password resets.

🤖 AI Analysis
How it works

The vulnerability (classified as CWE-620 — Unverified Password Change) lies in improper identity verification during the password change process. An attacker can remotely trigger a password reset procedure for any account without possessing any authentication credentials. The lack of proper validation of the requester's identity enables account takeover without knowledge of current passwords.

Impact

An attacker can take control of any account in the system, including administrative accounts, thereby gaining full access to the restaurant management platform. This can lead to data disclosure, modification of system configuration, and disruption of service continuity.

Mitigation & patch

Patches available from the vendor should be applied in accordance with the references. As a temporary measure, it is recommended to restrict network access to the platform only to trusted IP addresses and to implement enhanced monitoring of password reset attempts.

Who is affected

Restaurant Digital Comprehensive Management platform by Hangzhou Xiongwei Technology Development Co., Ltd. in version v1.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References