CVE-2024-41800: Craft CMS Allows TOTP Token To Stay Valid After Use
First published: Thu Jul 25 2024(Updated: )
Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. ### Impact An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. A TOTP token can be used multiple times to establish an authenticated session. [RFC 6238](https://www.rfc-editor.org/rfc/rfc6238) insists that an OTP must not be used more than once. > The verifier MUST NOT accept the second attempt of the OTP after the successful validation has been issued for the first OTP, which ensures one-time only use of an OTP. The OWASP Application Security Verification Standard v4.0.3 (ASVS) [reiterates this property with requirement 2.8.4](https://github.com/OWASP/ASVS/blob/v4.0.3/4.0/en/0x11-V2-Authentication.md#v28-one-time-verifier). > Verify that time-based OTP can be used only once within the validity period. It should also be noted that the validity period of an TOTP token is 2 minutes. This makes a successful brute force attack more likely, since the four tokens are valid at the same time. ### Patches This has been patched in Craft 5.2.3. References: https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV 2024061701_CraftCMS_TOTP_Valid_After_Use https://github.com/craftcms/cms/releases/tag/5.2.3
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/craftcms/cms | >=5.0.0-beta.1<=5.2.2 | 5.2.3 |
| Craftcms Craft Cms | >=5.0.1<5.2.3 | |
| Craftcms Craft Cms | =5.0.0-beta1 | |
| Craftcms Craft Cms | =5.0.0-beta10 | |
| Craftcms Craft Cms | =5.0.0-beta11 | |
| Craftcms Craft Cms | =5.0.0-beta2 | |
| Craftcms Craft Cms | =5.0.0-beta3 | |
| Craftcms Craft Cms | =5.0.0-beta4 | |
| Craftcms Craft Cms | =5.0.0-beta5 | |
| Craftcms Craft Cms | =5.0.0-beta6 | |
| Craftcms Craft Cms | =5.0.0-beta7 | |
| Craftcms Craft Cms | =5.0.0-beta8 | |
| Craftcms Craft Cms | =5.0.0-beta9 | |
| Craftcms Craft Cms | =5.0.0-rc1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx
- https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38
- https://github.com/craftcms/cms/releases/tag/5.2.3
- https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use
- https://nvd.nist.gov/vuln/detail/CVE-2024-41800
- https://github.com/advisories/GHSA-wmx7-pw49-88jx (Advisory)
- agent/title
- agent/weakness
- agent/type
- agent/first-publish-date
- agent/event
- agent/description
- collector/nvd-cve
- source/NVD
- agent/references
- agent/author
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-wmx7-pw49-88jx
- alias/CVE-2024-41800
- agent/software-canonical-lookup
- collector/github-advisory
- collector/nvd-api
- agent/last-modified-date
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/trending
- package-manager/composer
- vendor/craftcms
- canonical/craftcms craft cms
- version/craftcms craft cms/5.0.1
- version/craftcms craft cms/5.0.0-beta1
- version/craftcms craft cms/5.0.0-beta10
- version/craftcms craft cms/5.0.0-beta11
- version/craftcms craft cms/5.0.0-beta2
- version/craftcms craft cms/5.0.0-beta3
- version/craftcms craft cms/5.0.0-beta4
- version/craftcms craft cms/5.0.0-beta5
- version/craftcms craft cms/5.0.0-beta6
- version/craftcms craft cms/5.0.0-beta7
- version/craftcms craft cms/5.0.0-beta8
- version/craftcms craft cms/5.0.0-beta9
- version/craftcms craft cms/5.0.0-rc1