CVE-2024-5657

Public Exploit

CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure

Description

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.

Remediation

Solution:

Update to version 3.3.4 or later.

References

Link	Tags
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure	third party advisory exploit
https://plugins.craftcms.com/two-factor-authentication?craft4	product
https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4	release notes
http://www.openwall.com/lists/oss-security/2024/06/06/1	mailing list third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2024-5657?: CVE-2024-5657 has been scored as a low severity vulnerability.
How to fix CVE-2024-5657?: To fix CVE-2024-5657: Update to version 3.3.4 or later.
Is CVE-2024-5657 being actively exploited in the wild?: It is possible that CVE-2024-5657 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5657?: CVE-2024-5657 affects Born05 CraftCMS Plugin - Two-Factor Authentication.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-522 – Insufficiently Protected Credentials

References

Frequently Asked Questions