scheb/two-factor-bundle bypass two-factor authentication with remember-me option

In versions prior to 3.26.0 and prior to 4.11.0 of the "scheb/two-factor-bundle" project, a security vulnerability allowed attackers to bypass two-factor authentication 2FA using the rememberme cookie. When the rememberme checkbox was used during login, a "REMEMBERME" cookie was created. Upon...

scheb/two-factor-bundle bypass two-factor authentication with unverified JWT trusted device token

Before version 3.7 the bundle is vulnerable to a security issue in JWT, which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication...

GHSA-H6MP-MC7G-MG49 scheb/two-factor-bundle bypass two-factor authentication with unverified JWT trusted device token

Before version 3.7 the bundle is vulnerable to a security issue in JWT, which can be exploited by an attacker to generate trusted device cookies on their own, effectively by-passing two-factor authentication...

Authentication Bypass

scheb/two-factor-bundle is vulnerable to authentication bypass. The vulnerability exists as the JwtTokenEncoder does not properly verify the validity of the JWT token, allowing an attacker to generate trusted device cookies and bypass the two-factor authentication...