Impact
Capgo before version 12.128.2 contains an authentication bypass in the account deletion endpoint. The vulnerability allows an attacker to delete a user’s account without re-entering the password or providing any secondary verification. Users are vulnerable to account removal which results in loss of data, access to services and can lead to a denial‑of‑service condition for the entire application.
Affected Systems
Vulnerable installations are any Capgo deployments running a version earlier than 12.128.2. The effect is limited to the account that is actively logged in or whose session cookie is hijacked.
Risk and Exploitability
The CVSS score of 7 indicates that the problem is a serious risk. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the exact likelihood of exploitation is not quantified, but the potential attack vectors – session hijacking, CSRF, or parameter tampering – make exploit practical for an attacker who gains a session or crafts a malicious request. Successful exploitation results in permanent deletion of the user’s account, resulting in loss of data and non‑availability of the service to that user.
OpenCVE Enrichment