Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS05NnFtLWh3aHAtMnJtOM4AA8wB
Improper Authentication in CraftCMS two factor authentication plugin
The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.
Permalink: https://github.com/advisories/GHSA-96qm-hwhp-2rm8JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS05NnFtLWh3aHAtMnJtOM4AA8wB
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago
CVSS Score: 4.8
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
Identifiers: GHSA-96qm-hwhp-2rm8, CVE-2024-5658
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5658
- https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4
- https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use
- https://plugins.craftcms.com/two-factor-authentication?craft4
- https://github.com/born05/craft-twofactorauthentication/commit/89d2339463c0f3ee690e707d4bc8501360885289
- http://www.openwall.com/lists/oss-security/2024/06/06/2
- https://github.com/advisories/GHSA-96qm-hwhp-2rm8
Blast Radius: 0.0
Affected Packages
packagist:born05/craft-twofactorauthentication
Dependent packages: 1Dependent repositories: 1
Downloads: 89,193 total
Affected Version Ranges: < 3.3.4
Fixed in: 3.3.4
All affected versions: 0.0.1, 0.0.2, 0.0.3, 0.0.4, 0.0.5, 0.0.6, 1.0.0, 1.0.1, 1.1.0, 2.0.0, 2.0.1, 2.1.0, 2.1.1, 2.1.2, 2.2.0, 2.3.0, 2.4.0, 2.5.0, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.8.0, 2.8.1, 2.9.0, 2.10.0, 2.10.1, 2.11.0, 2.11.1, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.3.2, 3.3.3
All unaffected versions: 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.4.0