CVE-2024-41800

Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.

CVSS v3 4.8 MEDIUM

4.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38
https://github.com/craftcms/cms/releases/tag/5.2.3
https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use

Configurations

No configuration.

History

No history.

Information

Published : 2024-07-25 17:15

Updated : 2024-07-26 12:38

NVD link : CVE-2024-41800

Mitre link : CVE-2024-41800

CVE.ORG link : CVE-2024-41800

JSON object : View

Products Affected

No product.

CWE

CWE-287

Improper Authentication

4.8 /10