12 matches found
EUVD-2024-1994
Malicious code in bioql PyPI...
EUVD-2024-2439
Malicious code in bioql PyPI...
OpenBao Login MFA Bypass of Rate Limiting and TOTP Token Reuse
Impact OpenBao's Login Multi-Factor Authentication MFA system allows enforcing MFA using Time-based One Time Password TOTP. Due to normalization applied by the underlying TOTP library, codes were accepted which could contain whitespace; this whitespace could bypass internal rate limiting of the M...
Hashicorp Vault has Login MFA Rate Limit Bypass Vulnerability
Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6015
Vault and Vault Enterprise’s “Vault” login MFA rate limits could be bypassed and TOTP tokens could be reused. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...
CVE-2025-6015
CVE-2025-6015 — HashiCorp Vault MFA rate-limiting bypass with TOTP reuse . The vulnerability affects Vault and Vault Enterprise, where login MFA rate limits could be bypassed and TOTP codes reused due to a normalization issue in the TOTP handling. Fixed in Vault Community Edition 1.20.1 and Vault...
Craft CMS Access Control Error Vulnerability
Craft CMS is Craft CMS open source content management system CMS. An access control error vulnerability exists in Craft CMS versions 5.0.0-beta.1 through 5.2.2, which stems from allowing multiple reuses of a TOTP token during its validity period. An attacker can exploit the vulnerability by...
GHSA-WMX7-PW49-88JX Craft CMS Allows TOTP Token To Stay Valid After Use
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. Impact An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. A TOTP token can be used multiple times t...
LinOTP replay vulnerability with auto resynchronization enabled for TOTP token
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time. This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The...
GHSA-RQG8-XJP2-PG9W LinOTP replay vulnerability with auto resynchronization enabled for TOTP token
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time. This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The...
Design/Logic Flaw
totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...
CVE-2022-29185 Observable Timing Discrepancy in totp-rs
totp-rs is a Rust library that permits the creation of 2FA authentification tokens per time-based one-time password TOTP. Prior to version 1.1.0, token comparison was not constant time, and could theorically be used to guess value of an TOTP token, and thus reuse it in the same time window. The...