{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-40260", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-10T15:45:50.863Z", "dateReserved": "2023-08-11T00:00:00", "datePublished": "2023-08-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-09-20T20:12:20.918736"}, "descriptions": [{"lang": "en", "value": "EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about \"some unknown processing of the component Multi-Factor Authentication Code Handler\" and thus cannot be correlated with other vulnerability information."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://seclists.org/fulldisclosure/2023/Aug/3"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:55.909Z"}, "title": "CVE Program Container", "references": [{"url": "https://seclists.org/fulldisclosure/2023/Aug/3", "tags": ["x_transferred"]}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-10-10T15:45:42.689084Z", "id": "CVE-2023-40260", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T15:45:50.863Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-40260", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-10-10T15:45:50.863Z", "dateReserved": "2023-08-11T00:00:00", "datePublished": "2023-08-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-09-20T20:12:20.918736"}, "descriptions": [{"lang": "en", "value": "EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about \"some unknown processing of the component Multi-Factor Authentication Code Handler\" and thus cannot be correlated with other vulnerability information."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://seclists.org/fulldisclosure/2023/Aug/3"}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:24:55.909Z"}, "title": "CVE Program Container", "references": [{"url": "https://seclists.org/fulldisclosure/2023/Aug/3", "tags": ["x_transferred"]}, {"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-40260", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-10-10T15:45:42.689084Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-10-10T15:45:46.612Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:empowerid:empowerid:*:*:*:*:*:*:*:*", "matchCriteriaId": "65844B44-B3A0-43C0-9627-7FBECC672C45", "versionEndExcluding": "7.205.0.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "EmpowerID before 7.205.0.1 allows an attacker to bypass an MFA (multi factor authentication) requirement if the first factor (username and password) is known, because the first factor is sufficient to change an account's email address, and the product would then send MFA codes to the new email address (which may be attacker-controlled). NOTE: this is different from CVE-2023-4177, which claims to be about \"some unknown processing of the component Multi-Factor Authentication Code Handler\" and thus cannot be correlated with other vulnerability information."}, {"lang": "es", "value": "EmpowerID antes de 7.205.0.1 permite a un atacante saltarse un requisito MFA (autenticaci\u00f3n multifactor) si se conoce el primer factor (nombre de usuario y contrase\u00f1a), porque el primer factor es suficiente para cambiar la direcci\u00f3n de correo electr\u00f3nico de una cuenta, y el producto enviar\u00eda entonces c\u00f3digos MFA a la nueva direcci\u00f3n de correo electr\u00f3nico (que puede estar controlada por el atacante). NOTA: esto es diferente de CVE-2023-4177, que dice referirse a \"alg\u00fan procesamiento desconocido del componente Multi-Factor Authentication Code Handler\" y, por tanto, no puede correlacionarse con otra informaci\u00f3n sobre vulnerabilidades."}], "id": "CVE-2023-40260", "lastModified": "2024-11-21T08:19:04.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-11T06:15:10.787", "references": [{"source": "cve@mitre.org", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2023/Aug/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40260"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://seclists.org/fulldisclosure/2023/Aug/3"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}