CVE-2025-50503

HIGH

Touch Lebanon Mobile App 2.20.2 - Auth Bypass

Title source: llm

Description

A vulnerability in the password reset workflow of the Touch Lebanon Mobile App 2.20.2 allows an attacker to bypass the OTP reset password mechanism. By manipulating the reset process, an unauthorized user may be able to reset the password and gain access to the account without needing to provide a legitimate authentication factor, such as an OTP. This compromises account security and allows for potential unauthorized access to user data.

References (2)

[Various Sources] https://github.com/ksarieddine/disclosures/blob/main/Touch%20Mobile%20Application/2FA%20Bypass%20-%20Touch%20Lebanon.md

View Writeup ZIP pw:eip

[Various Sources] https://www.touch.com.lb/autoforms/portal/touch/personal/contentandapps/mobileapp

Scores

CVSS v3 8.8

EPSS 0.0007

EPSS Percentile 22.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-640

Status published

Published Aug 20, 2025

Tracked Since Feb 18, 2026