PT-2026-25879 · Typo3 · Extension "E-Mail Mfa Provider"
Jan Holtkötter
·
Published
2026-03-17
·
Updated
2026-03-17
·
CVE-2026-4208
CVSS v4.0
7.7
| Vector | AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Extension "E-Mail Mfa Provider"