Lucene search

[email protected]NVD:CVE-2022-28601

HistoryMay 10, 2022 - 9:15 p.m.

CVE-2022-28601

2022-05-1021:15:11

CWE-863

[email protected]

web.nvd.nist.gov

two-factor authentication

simple 2fa plugin

moodle

remote attackers

phone verification

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

40.3%

JSON

A Two-Factor Authentication (2FA) bypass vulnerability in “Simple 2FA Plugin for Moodle” by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism.

Affected configurations

Nvd

Node

lmsdoctor2_factor_authenticationMatch-moodle

VendorProductVersionCPE
lmsdoctor2_factor_authentication-cpe:2.3:a:lmsdoctor:2_factor_authentication:-:*:*:*:*:moodle:*:*

Vendor	Product	Version	CPE
lmsdoctor	2_factor_authentication	-	cpe:2.3:a:lmsdoctor:2_factor_authentication:-:::::moodle::

References

github.com/FlaviuPopescu/CVE-2022-28601

www.lmsdoctor.com/simple-2-factor-authentication-plugin-for-moodle

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

EPSS

0.001

Percentile

40.3%

JSON

Related for NVD:CVE-2022-28601

cve1 cvelist1 prion1