Protect Your Data: Open Forms Addresses Multi-Factor Authentication Weakness

CVECVE-2024-24771
CVSScvssV3_1: 7.7
SourceCVE-2024-24771

Open Forms is a popular form building tool that allows users to create and publish smart forms. However, earlier versions of Open Forms contained a potential vulnerability related to its multi-factor authentication implementation.

Specifically, in versions prior to 2.2.9, 2.3.7, 2.4.5 and 2.5.2, if an attacker somehow managed to obtain the username and password of a superuser account, they may have been able to bypass the second authentication factor and fully access that user’s account. This could enable viewing or modifying sensitive form submission data.

While exploiting this vulnerability would have required obtaining credentials and bypassing several mitigations, the development team took action to fully address the weakness. Versions 2.2.9 and above implement additional authentication checks and move authentication endpoints behind a debug flag for increased security.

If you use Open Forms, be sure to update to the latest version to protect your data. Also, always use unique and strong passwords for admin accounts. While this particular issue has been fixed, staying up-to-date on software is important for any online tools that store or process sensitive information. Taking basic security precautions helps prevent attackers from accessing your accounts or data.

References