漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Insecure API Design in danny-avila/librechat
Vulnerability Description
In danny-avila/librechat version 0.7.9, there is an insecure API design issue in the 2-Factor Authentication (2FA) flow. The system allows users to disable 2FA without requiring a valid OTP or backup code, bypassing the intended verification process. This vulnerability occurs because the backend does not properly validate the OTP or backup code when the API endpoint '/api/auth/2fa/disable' is directly accessed. This flaw can be exploited by authenticated users to weaken the security of their own accounts, although it does not lead to full account compromise.
CVSS Information
N/A
Vulnerability Type
预期行为违背
Vulnerability Title
LibreChat 安全漏洞
Vulnerability Description
LibreChat是Danny Avila个人开发者的一个增强的 ChatGPT 克隆。 LibreChat 0.7.9版本存在安全漏洞,该漏洞源于2FA禁用流程中未正确验证OTP或备份代码,可能导致账户安全性降低。
CVSS Information
N/A
Vulnerability Type
N/A