CVE-2024-5657
CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure
Severity Score
8.1
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.
El complemento CraftCMS Autenticación de dos factores en las versiones 3.3.1, 3.3.2 y 3.3.3 revela el hash de contraseña del usuario actualmente autenticado después de enviar un TOTP válido.
*Credits:
Fabian Funder (SBA Research), Jakob Pachmann (SBA Research)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-05 CVE Reserved
- 2024-06-06 CVE Published
- 2024-06-12 EPSS Updated
- 2024-08-01 CVE Updated
- 2024-08-01 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-522: Insufficiently Protected Credentials
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4 | Release Notes | |
https://plugins.craftcms.com/two-factor-authentication?craft4 | Product |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Born05 Search vendor "Born05" | Two-factor Authentication Search vendor "Born05" for product "Two-factor Authentication" | >= 3.3.1 < 3.3.4 Search vendor "Born05" for product "Two-factor Authentication" and version " >= 3.3.1 < 3.3.4" | craftcms |
Affected
|