GHSA-9phw-7h96-q3rv
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9phw-7h96-q3rv
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-9phw-7h96-q3rv/GHSA-9phw-7h96-q3rv.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9phw-7h96-q3rv
- Published
- 2024-05-21T18:22:04Z
- Modified
- 2024-12-06T05:35:32.128039Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- scheb/two-factor-bundle bypass two-factor authentication with remember-me option
- Details
-
In versions prior to 3.26.0 and prior to 4.11.0 of the "scheb/two-factor-bundle" project, a security vulnerability allowed attackers to bypass two-factor authentication (2FA) using the rememberme cookie. When the rememberme checkbox was used during login, a "REMEMBERME" cookie was created. Upon redirection to the 2FA page, attackers could manipulate the SESSIONID key, granting access to the homepage "/" and gaining authentication without completing 2FA.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-287" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2024-05-21T18:22:04Z" }- References
-
- https://github.com/scheb/two-factor-bundle/issues/253
- https://github.com/scheb/two-factor-bundle/commit/3fbca9e821985559b444207a7c2d73b9b569b58b
- https://github.com/scheb/two-factor-bundle/commit/a149808d25c1553757c529b9568913ea1cec0894
- https://github.com/FriendsOfPHP/security-advisories/blob/master/scheb/two-factor-bundle/2019-12-19.yaml
- https://github.com/scheb/two-factor-bundle
Affected packages
Packagist / scheb/two-factor-bundle
Package
- Name
- scheb/two-factor-bundle
- Purl
- pkg:composer/scheb/two-factor-bundle
Packagist / scheb/two-factor-bundle
Package
- Name
- scheb/two-factor-bundle
- Purl
- pkg:composer/scheb/two-factor-bundle
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.26.0
Affected versions
v0.*
v0.1.0
v0.1.1
v0.2.0
v0.3.0
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.2.1
v1.3.0
v1.3.1
v1.3.2
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.4.4
v1.4.5
v1.4.6
v1.4.7
v1.5.0
v1.5.1
v2.*
v2.0.0
v2.1.0
v2.2.0
v2.2.1
v2.2.2
v2.3.0
v2.3.1
v2.3.2
v2.3.3
v2.4.0
v2.5.0
v2.5.1
v2.5.2
v2.6.0
v2.6.1
v2.6.2
v2.7.0
v2.8.0
v2.8.1
v2.8.2
v2.9.0
v2.10.0
v2.11.0
v2.12.0
v2.13.0
v2.14.0
v3.*
v3.0.0-beta1
v3.0.0-beta2
v3.0.0
v3.1.0
v3.2.0
v3.3.0
v3.3.1
v3.4.0
v3.5.0
v3.5.1
v3.6.0
v3.6.1
v3.6.2
v3.6.3
v3.7.0
v3.7.1
v3.8.0
v3.9.0
v3.10.0
v3.11.0
v3.11.1
v3.12.0
v3.12.1
v3.13.0
v3.13.1
v3.14.0
v3.15.0
v3.15.1
v3.16.0
v3.16.1
v3.16.2
v3.17.0
v3.17.1
v3.17.2
v3.18.0
v3.19.0
v3.19.1
v3.20.0
v3.20.1
v3.21.0
v3.22.0
v3.23.0
v3.24.0
v3.25.0