CVE-2024-24771 is a vulnerability classified under CWE-284 (Improper Access Control), CWE-287 (Improper Authentication), and CWE-654 (Exposure of Resource to Wrong Sphere) affecting the open-source Open Forms platform, which enables users to create and publish smart forms. The flaw exists in versions prior to 2.2.9, 2.3.7, 2.4.5, and 2.5.2, where a multi-factor authentication (MFA) mechanism intended to protect superuser accounts can potentially be bypassed if an attacker has already compromised the username and password credentials. The maintainers note that the bypass is non-exploitable under normal conditions due to three key mitigating factors: (1) the main login page requires successful MFA completion before granting full access, (2) the secondary API authentication endpoint (`/api/v2/api-auth/login/`) was misconfigured and does not allow login, and (3) no other login methods exist. However, if an attacker could authenticate via the vulnerable path, they could bypass the second factor, leading to unauthorized access to sensitive submission data and the ability to impersonate other staff accounts, potentially modifying or viewing confidential information. The patches introduced in the fixed versions restrict the API authentication endpoints to only be enabled when `settings.DEBUG = True` (which should never be enabled in production) and add custom permission checks to ensure only second-factor-verified superusers can perform user hijacking. The vulnerability has a CVSS 3.1 score of 7.7, indicating high severity due to network attack vector, high privileges required, no user interaction, and a scope change with high confidentiality and integrity impacts but no availability impact. No known exploits have been reported in the wild to date.

For European organizations using Open Forms, especially those handling sensitive or personal data through smart forms (e.g., government agencies, healthcare providers, financial institutions), this vulnerability poses a significant risk. If superuser credentials are compromised, attackers could bypass MFA protections, gaining unauthorized access to sensitive submission data, potentially including personal identifiable information (PII) or confidential business data. This could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), reputational damage, and unauthorized data manipulation. The ability to impersonate staff accounts further exacerbates the risk by enabling lateral movement and privilege escalation within the organization’s systems. Although exploitation requires credential compromise and is mitigated by certain factors, the high-impact nature of the vulnerability means organizations must act promptly to patch affected versions. The lack of known exploits reduces immediate risk but does not eliminate the threat, especially given the public disclosure and availability of technical details.

European organizations should immediately verify their Open Forms version and upgrade to versions 2.2.9, 2.3.7, 2.4.5, or 2.5.2 or later, where the vulnerability is patched. Ensure that `settings.DEBUG` is never enabled in production environments to prevent exposure of the API authentication endpoints. Implement strict access controls and monitoring on superuser accounts, including enforcing strong password policies and continuous credential hygiene to prevent compromise. Employ additional layers of security such as network segmentation and anomaly detection to identify unusual access patterns indicative of account hijacking. Regularly audit user permissions and review logs for unauthorized access attempts. Consider integrating external MFA solutions that are independent of the vulnerable Open Forms MFA implementation to add defense in depth. Finally, educate administrators about the risks of credential compromise and the importance of applying security patches promptly.