GitHub_MVULNRICHMENT:CVE-2024-41800CVE-2024-41800 Craft CMS Allows TOTP Token To Stay Valid After Use
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
25.5%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim’s credentials. This has been patched in Craft 5.2.3.
ADP Affected
[
{
"cpes": [
"cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*"
],
"vendor": "craftcms",
"product": "craft_cms",
"versions": [
{
"status": "affected",
"version": "5.0.0",
"versionType": "custom",
"lessThanOrEqual": "5.2.3"
}
],
"defaultStatus": "unknown"
}
]Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
25.5%
SSVC
Exploitation
poc
Automatable
no
Technical Impact
partial