关联漏洞
介绍
# CVE-2025-56224 (OTP) verification Bypass
# Description
an attacker can impersonate another user mobile number and use this vulnerability to verify the number without knowing the OTP code.
------------------------------------------
# CVSS Score: 8.1 (High)
------------------------------------------
Attack Type
* Remote (Authenticated)
------------------------------------------
Affected Versions
* Versions before <= 8.6.8
------------------------------------------
Vendor of Product
* Ascertia
------------------------------------------
Affected Product Code Base
* SigningHub
------------------------------------------
Affected Component
* Mobile number verification function.
------------------------------------------
Mitigations
* Revoke the OTP code if a number of attempt passed certain value.
------------------------------------------
Vulnerability Details
* The application does not enforce proper rate limiting on the One-Time Password (OTP) verification endpoint. This allows an attacker to automate and brute-force OTP codes without restriction. By sending a high volume of OTP guesses in rapid succession, an attacker can potentially bypass the OTP verification mechanism of the mobile number.
------------------------------------------
Fixed versions
* Versions after > 8.6.8
------------------------------------------
Discovered By:
* Yazan Abu-Nadi
文件快照
[4.0K] /data/pocs/8443e79423a291bf293399d9622f08f87ca78e26
└── [1.4K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。