CVE-2024-5657

June 6, 2024, 2:17 p.m.

3.7
Low

Description

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.

Product(s) Impacted

Product Versions
CraftCMS plugin Two-Factor Authentication
  • 3.3.1
  • 3.3.2
  • 3.3.3

Weaknesses

Common security weaknesses mapped to this vulnerability.

References

https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure
https://plugins.craftcms.com/two-factor-authentication?craft4

Tags

CWE-522
2024-06-06
CVE-2024-5657
1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a

CVSS Score

3.7 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: June 6, 2024, 11:15 a.m.
Last Modified: June 6, 2024, 2:17 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.