CVE-2019-12887

Name of the Vulnerable Software and Affected Versions LinOTP versions prior to 2.10.5.3

Description The issue allows for a replay attack when automatic resynchronization is enabled for the TOTP token type, potentially enabling an attacker to log in with previously recorded OTP values. This attack is only possible if automatic resynchronization is activated, which is deactivated by default. Other token types are unaffected.

Recommendations For versions prior to 2.10.5.3, update to version 2.10.5.3 or later to resolve the issue. As a temporary workaround, consider deactivating the automatic resynchronization for the TOTP token type to minimize the risk of exploitation.