Antonella Marino

**Name of the Vulnerable Software and Affected Versions** LIVEBOX Collaboration vDesk versions through v018 **Description** An issue allows a Bypass of Two-Factor Authentication for SAML Users. This can occur under the "/login/backup code" endpoint and the "/api/v1/vdeskintegration/challenge" endpoint. The correctness of the TOTP is not checked properly and can be bypassed by passing any string as the `backup code`. **Recommendations** For versions through v018, as a temporary workaround, consider restricting access to the "/login/backup code" and "/api/v1/vdeskintegration/challenge" endpoints until a patch is available. Avoid using the `backup code` parameter in these affected API endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.