Base Score

HIGH8.1

CVE-2024-5657

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.

VectorNETWORK

Published By1e3a9e0f-5156-4bf8-b8a3-cc311bfc0f4a

Published DateJun 06, 2024, 11:15

Affected Versions(1)

born05/craft-twofactorauthentication(Packagist)

Introduced3.3.1

Fixed3.3.4

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
born05/craft-twofactorauthentication(Packagist)	3.3.1	3.3.4	N/A

Weakness Type (CWE):CWE-522

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH

References

Base Score

HIGH8.1

Weakness Type (CWE):CWE-522

CVSS Metrics

Base Score

8.1

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Severity

HIGH

Version

3.1

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

HIGH

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

HIGH

Integrity (I)

HIGH

Availability (A)

HIGH