Cap Go
Monthly
Account takeover in Cap-go (Capgo) versions prior to 12.128.2 allows an attacker holding a temporary authenticated session to change the account's registered email address without re-authentication (no password or MFA prompt), then trigger a password reset to attacker-controlled inbox and seize the account. The flaw, reported by VulnCheck and tracked as a missing-authentication weakness (CWE-306), has a vendor patch but no public exploit identified at time of analysis.
Account takeover in Cap-go (Capgo) versions prior to 12.128.2 allows an attacker holding a temporary authenticated session to change the account's registered email address without re-authentication (no password or MFA prompt), then trigger a password reset to attacker-controlled inbox and seize the account. The flaw, reported by VulnCheck and tracked as a missing-authentication weakness (CWE-306), has a vendor patch but no public exploit identified at time of analysis.