CVE-2015-7225

Name of the Vulnerable Software and Affected Versions Tinfoil Devise-two-factor versions prior to 2.0.0

Description The issue arises from not strictly following section 5.2 of RFC 6238, which leads to not "burning" a successfully validated one-time password (OTP). This allows attackers with a target user's login credentials to log in as the user by obtaining the OTP through man-in-the-middle attacks or shoulder surfing and then replaying the OTP in the current time-step.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue.