Name of the Vulnerable Software and Affected Versions: SoftwareX versions prior to 4.0.0

Description: The issue arises during the setup of two-factor authentication using an authenticator app, where a QR code is generated and made available via a GET request to "/tf-qrcode". Since GET requests do not have CSRF protection, a malicious third party could potentially access the QR code and gain access to two-factor authentication codes. This endpoint is only accessible during the initial device setup, and the vulnerability is no longer present once setup is complete.

Recommendations: For versions prior to 4.0.0, consider defining SECURITY TWO FACTOR QRCODE URL and providing an alternative implementation that requires a POST request with CSRF protection, which would also involve changing the two-factor setup template. At the moment, there is no information about other mitigation measures for this vulnerability.