CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 2CVE-2024-5658 – CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use
https://notcve.org/view.php?id=CVE-2024-5658
The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period. El complemento CraftCMS Autenticación de dos factores hasta 3.3.3 permite la reutilización de tokens TOTP varias veces dentro del período de validez. • http://www.openwall.com/lists/oss-security/2024/06/06/2 https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4 https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use https://plugins.craftcms.com/two-factor-authentication?craft4 • CWE-287: Improper Authentication •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 2CVE-2024-5657 – CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure
https://notcve.org/view.php?id=CVE-2024-5657
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP. El complemento CraftCMS Autenticación de dos factores en las versiones 3.3.1, 3.3.2 y 3.3.3 revela el hash de contraseña del usuario actualmente autenticado después de enviar un TOTP válido. • http://www.openwall.com/lists/oss-security/2024/06/06/1 https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4 https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure https://plugins.craftcms.com/two-factor-authentication?craft4 • CWE-522: Insufficiently Protected Credentials •
CVSS: 6.1EPSS: 0%CPEs: 8EXPL: 1CVE-2017-17780 – Clockwork SMS Plugins - Multiple Versions - Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2017-17780
The Clockwork SMS clockwork-test-message.php component has XSS via a crafted "to" parameter in a clockwork-test-message request to wp-admin/admin.php. This component code is found in the following WordPress plugins: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2, and WP e-Commerce - Clockwork SMS 2.0.5. El componente clockwork-test-message.php en Clockwork SMS tiene una vulnerabilidad Cross-Site Scripting (XSS) a través de un parámetro "to" manipulado en una petición clockwork-test-message en wp-admin/admin.php. Este código de componente se encuentra en los siguientes plugins de WordPress: Clockwork Free and Paid SMS Notifications 2.0.3, Two-Factor Authentication - Clockwork SMS 1.0.2, Booking Calendar - Clockwork SMS 1.0.5, Contact Form 7 - Clockwork SMS 2.3.0, Fast Secure Contact Form - Clockwork SMS 2.1.2, Formidable - Clockwork SMS 1.0.2, Gravity Forms - Clockwork SMS 2.2 y WP e-Commerce - Clockwork SMS 2.0.5. • https://packetstormsecurity.com/files/145469/Clockwork-SMS-Cross-Site-Scripting.html https://plugins.trac.wordpress.org/changeset/1781424/clockwork-two-factor-authentication/trunk/templates/clockwork-test-message.php?old=706348&old_path=clockwork-two-factor-authentication%2Ftrunk%2Ftemplates%2Fclockwork-test-message.php • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •