2 matches found
CVE-2024-5657
CVE-2024-5657 affects CraftCMS plugin Two-Factor Authentication (versions 3.3.1–3.3.3). After submitting a valid TOTP, the plugin discloses the password hash of the currently authenticated user in server responses. Root cause: improper handling/exposure of password hashes within normal responses....
CVE-2024-5658
The CVE-2024-5658 entry affects the CraftCMS plugin “Two-Factor Authentication” (versions up to 3.3.3). The root cause is that TOTP tokens can be reused within their validity period, which is described as an improper authentication vulnerability that may allow bypassing 2FA. Practical impact is l...