Description
Capgo before 12.128.2 allows email address changes without requiring current password re-authentication or verification of the existing email address. An attacker with access to a valid session cookie or authenticated browser can change the account email to gain control of account recovery and bypass multi-factor authentication protections.
Problem types
Weak Password Recovery Mechanism for Forgotten Password
Product status
Any version before 12.128.2
12.128.2 (semver)
References
github.com/.../capgo/security/advisories/GHSA-9px4-w25f-mvm4
github.com/.../capgo/security/advisories/GHSA-9px4-w25f-mvm4 (GitHub Security Advisory (GHSA-9px4-w25f-mvm4))
www.vulncheck.com/...authentication-in-email-change-endpoint (VulnCheck Advisory: Capgo - Insufficient Authentication in Email Change Endpoint)