CRITICAL🇵🇱 Wersja polska

CVE-2025-63807

CVSS 9.8v3.1pub. 2025-11-20upd. 2026-01-15

An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.

🤖 AI Analysis
How it works

The verification code generation mechanism is predictable or too short, making the space of possible values limited. The lack of any rate limiting (request frequency restriction) allows an attacker to automatically send mass attempts to guess the code without any blocks. After guessing the verification code, the attacker can reset the password to the target account or bypass another authentication mechanism (authentication bypass). The attack requires no privileges or user interaction.

Impact

An attacker can take control of any user account through password reset or other authentication bypass methods, gaining full access to the victim's account data and functions.

Mitigation & patch

Apply patches available from the vendor according to references. It is also recommended to immediately implement rate limiting on endpoints handling code verification and use a cryptographically secure verification code generator with sufficient length and entropy.

Who is affected

The weijiang1994 university-bbs (2Dogz Blogin) application in the version containing commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 from 2025-01-13

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • 2dogz Blogin

    APP
    2Dogz
    ≤ 2024-11-09
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References