EPSS
Percentile
37.9%
rdiffweb is vulnerable to authentication bypass. The vulnerability exits in config.py, because the application does not ask for 2FA during the user email change, allowing a local attacker to turn of 2FA on an account.
config.py
github.com/advisories/GHSA-4wph-9vrm-6v3w
github.com/ikus060/rdiffweb/commit/f2a32f2a9f3fb8be1a9432ac3d81d3aacdb13095
huntr.dev/bounties/5340c2f6-0252-40f6-8929-cca5d64958a5
huntr.dev/bounties/5340c2f6-0252-40f6-8929-cca5d64958a5/