Lucene search

GoogleOSV:CVE-2024-5657

HistoryJun 06, 2024 - 11:15 a.m.

CVE-2024-5657

2024-06-0611:15:49

Google

osv.dev

craftcms

plugin

authentication

disclosure

totp

password hash

security vulnerability

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.

CPENameOperatorVersion
craft-twofactorauthenticationeq3.3.3
craft-twofactorauthenticationeq3.3.2
craft-twofactorauthenticationeq3.3.1

Name	Operator	Version
craft-twofactorauthentication	eq	3.3.3
craft-twofactorauthentication	eq	3.3.2
craft-twofactorauthentication	eq	3.3.1

References

www.openwall.com/lists/oss-security/2024/06/06/1

github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4

github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure

plugins.craftcms.com/two-factor-authentication?craft4

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

8.1 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

30.4%

JSON

Related for OSV:CVE-2024-5657