CVE-2024-24769— Vantage6: No limit on emails sent for password/MFA reset
Possible ATT&CK Techniques 3AI
T1498 · Network Denial of Service T1071 · Application Layer Protocol T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-24769
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vantage6: No limit on emails sent for password/MFA reset
Source: NVD (National Vulnerability Database)
Vulnerability Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, users can reset their MFA token via API routes that send them an email. Currently the number of emails that is sent is not limited. This gives attackers the option to flood someones mailbox with a lot of emails, and would have adverse effects on the SMTP server which may be seen as spam sender. Note resetting the MFA token requires a correct password, so the potential impact for this is very low. Version 5.0.0 fixes the issue. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vantage6 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
vantage6是vantage6团队开源的一个用于 Secure Insight eXchange 的开源 priVAcy preserviNg federalTed leArningG 基础架构。 Vantage6 5.0.0之前版本存在资源管理错误漏洞,该漏洞源于未限制通过API路由发送的重置MFA令牌邮件数量,可能导致SMTP服务器被标记为垃圾邮件发送者。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-24769
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-24769
请登录查看更多情报信息。
Vendor Advisories for CVE-2024-24769 (2)
Same Patch Batch · vantage6 · 2026-06-17 · 4 CVEs total
| CVE-2026-54533 | vantage6 node has an Improper Access Control issue | |
| CVE-2026-54445 | Vantage6: Set admin user and password from environment or configuration | |
| CVE-2024-27928 | Vantage6: 2FA can be circumvented with hacked email access |
IV. Related Vulnerabilities
Same product: vantage6
- CVE-2026-54533
vantage6 node has an Improper Access Control issue - CVE-2026-54445
Vantage6: Set admin user and password from environment or co - CVE-2024-27928
Vantage6: 2FA can be circumvented with hacked email access - CVE-2025-43866
Vantage6 Server JWT secret not cryptographically secure - CVE-2025-43863
vantage6 lacks brute-force protection on change password fun
Same vendor: vantage6
- CVE-2026-54533
vantage6 node has an Improper Access Control issue - CVE-2026-54445
Vantage6: Set admin user and password from environment or co - CVE-2024-27928
Vantage6: 2FA can be circumvented with hacked email access - CVE-2025-43866
Vantage6 Server JWT secret not cryptographically secure - CVE-2025-43863
vantage6 lacks brute-force protection on change password fun
Same weakness: CWE-400
- CVE-2026-9375
Decompression Bomb Bypass via Negative max_length in Streami - CVE-2026-49293
CPU exhaustion via O(n^2) BigInt construction on radix-prefi - CVE-2026-48937
Node.js 22/24 HTTP/2服务器GoAway帧后持续接收数据漏洞 - CVE-2025-53114
CometD has acknowledgement extension out of memory - CVE-2025-32437
AutoGPT has a DoS vulnerability in MediaDurationBlock
V. Comments for CVE-2024-24769
No comments yet