[CVE-2023-49032] Hijack SMS codes to an arbitrary phone number

[piuppi]

Hi @coudot , All,

I have found a vulnerability that would allow an attacker to hijack SMS codes to an arbitrary phone number. This could lead to any user's passwords being changed without any notification.
I am worried that if the PoC appears on GitHub it could be exploited; could you please provide me with an e-mail address on which to continue responsible disclosure?

Thank you and Regards

[coudot]

Of course, write to clement.oudot at worteks.com

[piuppi]

Of course, write to clement.oudot at worteks.com

Thanks, I just sent you the email from my corporate mailbox. I am waiting for your feedback. thank you.

[coudot]

Hello @piuppi

bug confirmed and patch provided privately. It will be published in 1.5.4 which should be released very soon.

[piuppi]

Hello @coudot

thank you for confirming the bug and providing the patch privately. I also wanted to inform you that I have initiated the process of requesting a CVE for this vulnerability to ensure that it is properly documented and tracked. I appreciate your efforts in addressing this issue, and I look forward to the public release of version 1.5.4 with the implemented patch. If there are any additional steps or information needed from my side, please let me know. Thank you again for your prompt response.

[coudot]

Applied in master with commit eddde9f and commit 603a509

[coudot]

@piuppi Version 1.5.4 was released today: https://github.com/ltb-project/self-service-password/releases/tag/v1.5.4

Please let me know if you got a CVE number

[piuppi]

@coudot I made the request, I'm waiting for the CVE ID to be assigned to me. As soon as I have news I'll write to you here

[piuppi]

Hello @coudot, MITRE assigned CVE-2023-49032. Regards.