CVE-2024-47654 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2024-47654?

CVE-2024-47654 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to send unlimited OTP requests to Shilpi Client Dashboard systems, causing OTP bombing attacks that can overwhelm systems or harass users. It affects all deployments of Shilpi Client Dashboard with vulnerable API endpoints exposed.

📋 TL;DR

This vulnerability allows unauthenticated attackers to send unlimited OTP requests to Shilpi Client Dashboard systems, causing OTP bombing attacks that can overwhelm systems or harass users. It affects all deployments of Shilpi Client Dashboard with vulnerable API endpoints exposed.

💻 Affected Systems

Products:

Shilpi Client Dashboard

Versions: All versions prior to patch

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with OTP functionality enabled via vulnerable API endpoints.

📦 What is this software?

Client Dashboard by Shilpisoft

View all CVEs affecting Client Dashboard →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system denial-of-service through resource exhaustion, SMS/email provider blacklisting due to spam, and potential account lockouts for legitimate users.

🟠

Likely Case

Service disruption through OTP flooding, increased operational costs from SMS/email charges, and user harassment through repeated OTP notifications.

🟢

If Mitigated

Minimal impact with proper rate limiting and CAPTCHA controls preventing automated OTP requests.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request flooding with no authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor advisory for specific version

Vendor Advisory: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313

Restart Required: Yes

Instructions:

1. Check vendor advisory for patch availability
2. Apply vendor-provided security update
3. Restart application services
4. Verify rate limiting and CAPTCHA are enabled

🔧 Temporary Workarounds

Implement Web Application Firewall Rules

all

Configure WAF to limit OTP request frequency per IP

WAF-specific configuration commands

API Gateway Rate Limiting

all

Add rate limiting at API gateway level for OTP endpoints

API gateway specific configuration

🧯 If You Can't Patch

Implement network-level rate limiting using firewall rules
Disable OTP functionality if not essential

🔍 How to Verify

Check if Vulnerable:

Test OTP endpoint with rapid consecutive requests without CAPTCHA

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify rate limiting blocks excessive OTP requests and CAPTCHA is required

📡 Detection & Monitoring

Log Indicators:

High frequency of OTP requests from single IP
Failed OTP attempts without CAPTCHA validation

Network Indicators:

Unusual volume of requests to OTP API endpoints
Requests bypassing CAPTCHA validation

SIEM Query:

source_ip=* AND uri_path="*/otp/*" AND count > 10 within 60s

📊 Metadata

CVE ID: CVE-2024-47654

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-799

Published: October 4, 2024

Last Updated: October 16, 2024

🔗 References

https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2024-0313 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-47654, you might also want to check these: