{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2024-51557","assignerOrgId":"66834db9-ab24-42b4-be80-296b2e40335c","state":"PUBLISHED","assignerShortName":"CERT-In","dateReserved":"2024-10-29T12:55:06.455Z","datePublished":"2024-11-04T12:12:41.177Z","dateUpdated":"2024-11-04T15:05:06.360Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Wave 2.0","vendor":"Brokerage Technology Solutions","versions":[{"status":"affected","version":"<1.1.7"}]}],"credits":[{"lang":"en","type":"finder","value":"This vulnerability is reported by Mohit Gadiya."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system."}],"value":"This vulnerability exists in the Wave 2.0 due to missing rate limiting on OTP requests in an API endpoint. An authenticated remote attacker could exploit this vulnerability by sending multiple OTP request through vulnerable API endpoint which could lead to the OTP bombing/flooding on the targeted system."}],"metrics":[{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":7.1,"baseSeverity":"HIGH","privilegesRequired":"LOW","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"HIGH","vulnConfidentialityImpact":"NONE","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-799","description":"CWE-799: Improper Control of Interaction Frequency","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"66834db9-ab24-42b4-be80-296b2e40335c","shortName":"CERT-In","dateUpdated":"2024-11-04T12:12:41.177Z"},"references":[{"tags":["third-party-advisory"],"url":"https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0332"}],"solutions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"Upgrade Wave 2.0 to version 1.1.7 <br>"}],"value":"Upgrade Wave 2.0 to version 1.1.7"}],"source":{"discovery":"UNKNOWN"},"title":"No Rate Limiting Vulnerability in Wave 2.0","x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2024-11-04T15:04:58.013052Z","id":"CVE-2024-51557","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2024-11-04T15:05:06.360Z"}}]}}