PT-2024-29567 · Craft Cms · Craft Cms
Fabiantuw
·
Published
2024-07-25
·
Updated
2024-08-26
·
CVE-2024-41800
CVSS v4.0
6.0
Medium
| Vector | AV:N/AC:H/AT:N/PR:N/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Craft CMS versions prior to 5.2.3
Description
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. The validity period of a TOTP token is 2 minutes, making a successful brute force attack more likely.
Recommendations
For Craft CMS versions prior to 5.2.3, update to version 5.2.3 to resolve the issue. As a temporary workaround, consider restricting access to sensitive areas of the CMS to minimize the risk of exploitation. Avoid reusing TOTP tokens within the validity period until the issue is resolved.
Exploit
Fix
Improper Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Craft Cms