CVE-2024-12039

High CVSS: 8.1

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in a complete compromise of the application.

Vendor

Langgenius

Product

Dify

CWE

CWE-307

Yayın Tarihi

2025-03-20 10:15:26

Güncelleme

2025-07-15 15:59:02

Source Identifier

security@huntr.dev

KEV Date Added

Kategoriler

CWE-307 Dify HIGH Langgenius 2025

Referanslar

https://huntr.com/bounties/61af30d5-6055-4c6c-8a55-3fa43dada512

Benzer Kayıtlar

High

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to th…

Critical

CVE-2025-56157

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file inclu…

Critical

CVE-2025-63386

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup en…

Critical

CVE-2025-63388

A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-f…

Medium

CVE-2025-11750

In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning d…

Low

CVE-2025-58747

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable t…