CVE-2025-50503

A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/ksarieddine/disclosures/blob/main/Touch%20Mobile%20Application/2FA%20Bypass%20-%20Touch%20Lebanon.md
https://www.touch.com.lb/autoforms/portal/touch/personal/contentandapps/mobileapp

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) Una vulnerabilidad en el flujo de trabajo de restablecimiento de contraseña de Touch Lebanon Mobile App 2.20.2 permite a un atacante eludir el mecanismo de restablecimiento de contraseña OTP. Al manipular el proceso de restablecimiento, un usuario no autorizado podría restablecer la contraseña y acceder a la cuenta sin necesidad de proporcionar un factor de autenticación legítimo, como un OTP. Esto compromete la seguridad de la cuenta y permite un posible acceso no autorizado a los datos del usuario.

20 Aug 2025, 14:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-20 14:15

Updated : 2026-04-15 00:35

NVD link : CVE-2025-50503

Mitre link : CVE-2025-50503

CVE.ORG link : CVE-2025-50503

JSON object : View

Products Affected

No product.

CWE

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

8.8 /10