CVE-2024-27928— Vantage6: 2FA can be circumvented with hacked email access
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-27928
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vantage6: 2FA can be circumvented with hacked email access
Source: NVD (National Vulnerability Database)
Vulnerability Description
vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用单一因素认证机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Vantage6 授权问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
vantage6是vantage6团队开源的一个用于 Secure Insight eXchange 的开源 priVAcy preserviNg federalTed leArningG 基础架构。 Vantage6 5.0.0之前版本存在授权问题漏洞,该漏洞源于CWE-308授权问题,可能导致攻击者在劫持用户邮箱后重置密码和双因素认证令牌。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2024-27928
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-27928
请登录查看更多情报信息。
Vendor Advisories for CVE-2024-27928 (2)
Same Patch Batch · vantage6 · 2026-06-17 · 4 CVEs total
| CVE-2026-54533 | vantage6 node has an Improper Access Control issue | |
| CVE-2026-54445 | Vantage6: Set admin user and password from environment or configuration | |
| CVE-2024-24769 | Vantage6: No limit on emails sent for password/MFA reset |
IV. Related Vulnerabilities
Same product: vantage6
- CVE-2026-54533
vantage6 node has an Improper Access Control issue - CVE-2026-54445
Vantage6: Set admin user and password from environment or co - CVE-2024-24769
Vantage6: No limit on emails sent for password/MFA reset - CVE-2025-43866
Vantage6 Server JWT secret not cryptographically secure - CVE-2025-43863
vantage6 lacks brute-force protection on change password fun
Same vendor: vantage6
- CVE-2026-54533
vantage6 node has an Improper Access Control issue - CVE-2026-54445
Vantage6: Set admin user and password from environment or co - CVE-2024-24769
Vantage6: No limit on emails sent for password/MFA reset - CVE-2025-43866
Vantage6 Server JWT secret not cryptographically secure - CVE-2025-43863
vantage6 lacks brute-force protection on change password fun
V. Comments for CVE-2024-27928
No comments yet