Lucene search

Sba-researchCVELIST:CVE-2024-5657

HistoryJun 06, 2024 - 10:29 a.m.

CVE-2024-5657 CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure

2024-06-0610:29:40

CWE-522

sba-research

www.cve.org

cve-2024-5657

craftcms

plugin

two-factor authentication

password hash disclosure

totp

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "CraftCMS Plugin - Two-Factor Authentication",
    "repo": "https://github.com/born05/craft-twofactorauthentication",
    "vendor": "Born05",
    "versions": [
      {
        "lessThanOrEqual": "3.3.3",
        "status": "affected",
        "version": "3.3.1",
        "versionType": "custom"
      }
    ]
  }
]

References

www.openwall.com/lists/oss-security/2024/06/06/1

github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4

github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure

plugins.craftcms.com/two-factor-authentication?craft4

3.7 Low

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

4.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

Related for CVELIST:CVE-2024-5657