CVE-2024-5658

Public Exploit

CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use

Description

The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.

Remediation

Solution:

Update to version 3.3.4 or later.

References

Link	Tags
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use	third party advisory exploit
https://plugins.craftcms.com/two-factor-authentication?craft4	product
https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4	release notes
http://www.openwall.com/lists/oss-security/2024/06/06/2	mailing list third party advisory exploit

Frequently Asked Questions

What is the severity of CVE-2024-5658?: CVE-2024-5658 has been scored as a medium severity vulnerability.
How to fix CVE-2024-5658?: To fix CVE-2024-5658: Update to version 3.3.4 or later.
Is CVE-2024-5658 being actively exploited in the wild?: It is possible that CVE-2024-5658 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-5658?: CVE-2024-5658 affects Born05 CraftCMS Plugin - Two-Factor Authentication.

This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.

Description

Remediation

Category

CWE-287 – Improper Authentication

References

Frequently Asked Questions