CVE-2022-45173: 
Linux Alpine vulnerability analysis and mitigation

An issue was discovered in LIVEBOX Collaboration vDesk through v018. A Bypass of Two-Factor Authentication can occur under the /api/v1/vdeskintegration/challenge endpoint. Because only the client-side verifies whether a check was successful, an attacker can modify the response, and fool the application into concluding that the TOTP was correct (NVD, CVE).

The vulnerability exists in the two-factor authentication implementation where the verification of TOTP (Time-based One-Time Password) is performed on the client-side rather than server-side. The issue affects the /api/v1/vdeskintegration/challenge endpoint. The vulnerability has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Due to the critical nature of this vulnerability, an attacker can bypass the two-factor authentication mechanism completely. This could lead to unauthorized access to user accounts, potentially exposing sensitive information and allowing unauthorized actions to be performed on behalf of legitimate users (NVD).

The vulnerability affects LIVEBOX Collaboration vDesk through version 018. Organizations should implement server-side verification of TOTP codes rather than relying on client-side verification. Updates or patches addressing this vulnerability should be applied when available (NVD).