PT-2017-7164 · Tinfoil · Tinfoil Devise-Two-Factor

F3Ndot

Published

2017-09-06

Updated

2018-08-28

CVE-2015-7225

CVSS v3.1

5.3

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Tinfoil Devise-two-factor versions prior to 2.0.0

Description The issue arises from not strictly following section 5.2 of RFC 6238, which leads to not "burning" a successfully validated one-time password (OTP). This allows attackers with a target user's login credentials to log in as the user by obtaining the OTP through man-in-the-middle attacks or shoulder surfing and then replaying the OTP in the current time-step.

Recommendations For versions prior to 2.0.0, update to version 2.0.0 or later to resolve the issue.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-254

Related Identifiers

CVE-2015-7225

GHSA-X489-JJWM-52G7

Affected Products

Tinfoil Devise-Two-Factor

PT-2017-7164 · Tinfoil · Tinfoil Devise-Two-Factor

CVE-2015-7225

Weakness Enumeration

Related Identifiers

Affected Products

References · 19