mfa/FIDO2.py in django-mfa2 before 2.5.1 and 2.6.x before 2.6.1 allows a replay attack that could be used to register another device for a user. The device registration challenge is not invalidated after usage.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| django-mfa2(PyPI) | 0 | 2.5.1 | N/A |
| django-mfa2(PyPI) | 2.6.0 | 2.6.1 | N/A |
CVSS Metrics
