Vvbbnn00

**Name of the Vulnerable Software and Affected Versions** Termix versions prior to 2.1.0 **Description** Termix is a web-based server management platform featuring an SSH terminal, tunneling, and file editing. The '/users/login' endpoint issues a temporary JSON Web Token (JWT), specifically the `temp token`, for accounts with Time-based One-Time Password (TOTP) enabled. This token is intended to have a pendingTOTP state and should only be valid for the second-factor authentication flow. However, the authentication middleware incorrectly accepts this token on regular authenticated endpoints, allowing users to bypass the second factor and reducing authentication to a single factor (password). **Recommendations** Update to version 2.1.0.