CVE-2024-27928
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk19th percentile — higher than 19% of all known CVEs
Summary
In versions prior to 5.0.0 of the vantage6 software, an attacker who gains access to a user's email account can reset the password and the 2FA token via email, reducing security to a single authentication factor (email access). Version 5.0.0 fixes this issue.
Risk Assessment
Organizations may be vulnerable to attacks that allow attackers to take over user accounts, potentially leading to unauthorized access to sensitive data. Although most email providers require 2FA, the risk still exists.
Recommendation
It is recommended to upgrade to version 5.0.0 or later to mitigate this vulnerability. Additionally, consider implementing further protective measures for users' email accounts.
Original NVD description (English source)
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.

