An issue was discovered in weijiang1994 university-bbs (aka Blogin) in commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 (2025-01-13). A weak verification code generation mechanism combined with missing rate limiting allows attackers to perform brute-force attacks on verification codes without authentication. Successful exploitation may result in account takeover via password reset or other authentication bypass methods.
The verification code generation mechanism is predictable or too short, making the space of possible values limited. The lack of any rate limiting (request frequency restriction) allows an attacker to automatically send mass attempts to guess the code without any blocks. After guessing the verification code, the attacker can reset the password to the target account or bypass another authentication mechanism (authentication bypass). The attack requires no privileges or user interaction.
An attacker can take control of any user account through password reset or other authentication bypass methods, gaining full access to the victim's account data and functions.
Apply patches available from the vendor according to references. It is also recommended to immediately implement rate limiting on endpoints handling code verification and use a cryptographically secure verification code generator with sufficient length and entropy.
The weijiang1994 university-bbs (2Dogz Blogin) application in the version containing commit 9e06bab430bfc729f27b4284ba7570db3b11ce84 from 2025-01-13
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H2dogz Blogin
APP2Dogz≤ 2024-11-09