CVE-2021-28373

Name of the Vulnerable Software and Affected Versions: Tiny Tiny RSS (aka tt-rss) versions prior to 2021-03-12

Description: The auth internal plugin in Tiny Tiny RSS allows an attacker to log in via the OTP code without a valid password. This issue only affected the git master branch for a short time. However, all end users are explicitly directed to use the git master branch in production.

Recommendations: For versions prior to 2021-03-12, update to a version after 2021-03-12 to resolve the issue. As a temporary workaround, consider disabling the auth internal plugin until a patch is available. Restrict access to the OTP code login functionality to minimize the risk of exploitation.