CVE-2024-41800

Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta11:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta3:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta9:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*

History

26 Aug 2024, 16:33

Type Values Removed Values Added
References () https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38 - () https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38 - Patch
References () https://github.com/craftcms/cms/releases/tag/5.2.3 - () https://github.com/craftcms/cms/releases/tag/5.2.3 - Release Notes
References () https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx - () https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx - Vendor Advisory
References () https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use - () https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use - Third Party Advisory
CVSS v2 : unknown
v3 : 4.8
v2 : unknown
v3 : 7.5
CPE cpe:2.3:a:craftcms:craft_cms:5.0.0:beta11:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta2:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta10:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta4:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta7:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta6:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:*:*:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta5:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta9:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta8:*:*:*:*:*:*
cpe:2.3:a:craftcms:craft_cms:5.0.0:beta3:*:*:*:*:*:*
First Time Craftcms craft Cms
Craftcms

26 Jul 2024, 12:38

Type Values Removed Values Added
Summary
  • (es) Craft es un sistema de gestión de contenidos (CMS). Craft CMS 5 permite la reutilización de tokens TOTP varias veces dentro del período de validez. Un atacante puede volver a enviar un token TOTP válido para establecer una sesión autenticada. Esto requiere que el atacante tenga conocimiento de las credenciales de la víctima. Esto ha sido parcheado en Craft 5.2.3.

25 Jul 2024, 17:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-07-25 17:15

Updated : 2024-08-26 16:33


NVD link : CVE-2024-41800

Mitre link : CVE-2024-41800

CVE.ORG link : CVE-2024-41800


JSON object : View

Products Affected

craftcms

  • craft_cms
CWE
CWE-287

Improper Authentication