CVE-2020-10876 — HIGH (7.5)

Vulnerability Description

The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting passwords, nor does it properly restrict excessive verification attempts. This allows an attacker to brute force the four-digit verification code in order to bypass email verification and change the password of a victim account.

CVSS Score

7.5

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Oklok Project	Oklok	3.1.1
Mica	Fingerprint Bluetooth Padlock Fb50	-

Related Weaknesses (CWE)

CWE-307 CWE-613

References

https://apps.apple.com/us/app/oklok/id1392287771ProductThird Party Advisory
https://github.com/fierceoj/ownklokExploitThird Party Advisory
https://apps.apple.com/us/app/oklok/id1392287771ProductThird Party Advisory
https://github.com/fierceoj/ownklokExploitThird Party Advisory

FAQ

What is CVE-2020-10876?

CVE-2020-10876 is a vulnerability with a CVSS score of 7.5 (HIGH). The OKLOK (3.1.1) mobile companion app for Fingerprint Bluetooth Padlock FB50 (2.3) does not correctly implement its timeout on the four-digit verification code that is required for resetting password...

How severe is CVE-2020-10876?

CVE-2020-10876 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-10876?

Check the references section above for vendor advisories and patch information. Affected products include: Oklok Project Oklok, Mica Fingerprint Bluetooth Padlock Fb50.