Search criteria

Related vulnerabilities

GHSA-5549-C5Q7-FJ65

Vulnerability from github – Published: 2026-06-05 15:21 – Updated: 2026-06-05 15:24
VLAI
Summary
Vantage6: No limit on emails sent for password/MFA reset
Details

Impact

Users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender.

Note resetting the MFA token requires a correct password, so the potential impact for this is very low.

Patches

No

Workarounds

No

Severity
2.1 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "vantage6"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-24769"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-05T15:21:59Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Impact\nUsers can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender.\n\nNote resetting the MFA token requires a correct password, so the potential impact for this is very low.\n\n### Patches\nNo\n\n### Workarounds\nNo",
  "id": "GHSA-5549-c5q7-fj65",
  "modified": "2026-06-05T15:24:51Z",
  "published": "2026-06-05T15:21:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/security/advisories/GHSA-5549-c5q7-fj65"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/issues/1932"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vantage6/vantage6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vantage6/vantage6/blob/main/docs/release_notes.rst#500"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vantage6: No limit on emails sent for password/MFA reset"
}

GSD-2024-24769

Vulnerability from gsd - Updated: 2024-01-30 06:03
Details
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
Aliases
To clipboard 

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-24769"
      ],
      "id": "GSD-2024-24769",
      "modified": "2024-01-30T06:03:12.486605Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2024-24769",
        "STATE": "RESERVED"
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided."
          }
        ]
      }
    }
  }
}