CVE-2015-7225 – devise-two-factor

Package

Manager: gem
Name: devise-two-factor
Vulnerable Version: >=0 <2.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00691 pctl0.70916

Details

Tinfoil Devise-two-factor does not "burn" a successfully validated one-time password (OTP) Tinfoil Devise-two-factor before 2.0.0 does not strictly follow [RFC 6238 § 5.2 ](https://datatracker.ietf.org/doc/html/rfc6238#section-5.2) and does not "burn" a successfully validated one-time password (aka OTP), which allows physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or "shoulder surfing", and replaying the OTP in the current time-step.

Metadata

Created: 2018-08-28T22:34:15Z
Modified: 2023-07-05T20:45:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/08/GHSA-x489-jjwm-52g7/GHSA-x489-jjwm-52g7.json
CWE IDs: []
Alternative ID: GHSA-x489-jjwm-52g7
Finding: F006
Auto approve: 1