Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2017-09-06T21:00:00
Updated: 2024-08-06T07:43:45.764Z
Reserved: 2015-09-17T00:00:00
Link: CVE-2015-7225
Vulnrichment
No data.
NVD
Status : Modified
Published: 2017-09-06T21:29:00.957
Modified: 2024-11-21T02:36:22.910
Link: CVE-2015-7225
Redhat
No data.