CVE-2024-5658
CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use
Severity Score
6.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
2
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.
El complemento CraftCMS Autenticación de dos factores hasta 3.3.3 permite la reutilización de tokens TOTP varias veces dentro del período de validez.
*Credits:
Fabian Funder (SBA Research), Jakob Pachmann (SBA Research)
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-06-05 CVE Reserved
- 2024-06-06 CVE Published
- 2024-06-12 EPSS Updated
- 2024-08-01 CVE Updated
- 2024-08-01 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4 | Release Notes | |
| https://plugins.craftcms.com/two-factor-authentication?craft4 | Product |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Born05 Search vendor "Born05" | Two-factor Authentication Search vendor "Born05" for product "Two-factor Authentication" | < 3.3.4 Search vendor "Born05" for product "Two-factor Authentication" and version " < 3.3.4" | craftcms |
Affected
| ||||||