CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.5%
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period.
An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim’s credentials.
A TOTP token can be used multiple times to establish an authenticated session.
RFC 6238 insists that an OTP must not be used more than once.
> The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP.
The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates
this property with requirement 2.8.4.
> Verify that time-based OTP can be used only once within the validity period.
It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time.
This has been patched in Craft 5.2.3.
References:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use
github.com/advisories/GHSA-wmx7-pw49-88jx
github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38
github.com/craftcms/cms/releases/tag/5.2.3
github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx
github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use
nvd.nist.gov/vuln/detail/CVE-2024-41800
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
25.5%