关键信息 CVE CVE-2023-1647 Published: Yes Vulnerability Type CWE-284: Improper Access Control Severity High (8.8) - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Confidentiality: High - Integrity: High - Availability: High Affected Version 2.5.12 Visibility Public Status Fixed Found By Manojkumar J (@thewhiteevil) Impact Victim Account Takeover An attacker can easily create an account using the victim's email Pre-authentication to the victim's account Persistence of the attacker Ability to see all activities performed by the victim user Impact on confidentiality, integrity, and availability Particularly impactful if the organization uses G-Suite References Pubished CVE ID for this kind of pre-account takeover and persistence vulnerability due to Oauth misconfiguration: Link Fix Ensuring proper email verification and Oauth implementation