10 matches found
Craft CMS Allows TOTP Token To Stay Valid After Use
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. Impact An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. A TOTP token can be used multiple times t...
GHSA-WMX7-PW49-88JX Craft CMS Allows TOTP Token To Stay Valid After Use
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. Impact An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. A TOTP token can be used multiple times t...
Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP)
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow RFC 6238 § 5.2 and does not "burn" a successfully validated one-time password aka OTP, which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing ...
GHSA-X489-JJWM-52G7 Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP)
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow RFC 6238 § 5.2 and does not "burn" a successfully validated one-time password aka OTP, which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing ...
CVE-2015-7225
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password aka OTP, which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP...
CVE-2015-7225
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password aka OTP, which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP...
Code injection
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password aka OTP, which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP...
CVE-2015-7225
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password aka OTP, which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP...
CVE-2015-7225
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password aka OTP, which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP...
CVE-2015-7225
Concretely, CVE-2015-7225 affects devise-two-factor prior to v4.0.2, where an OTP can be reused for one immediately trailing time interval due to an incomplete fix. Multiple connected records (e.g., CVE-2021-43177 references) confirm the vulnerability pattern and the remediation: upgrade to devis...