CVE-2024-8796
- EPSS 0.32%
- Veröffentlicht 17.09.2024 18:15:05
- Zuletzt bearbeitet 30.09.2024 14:10:38
Under the default configuration, Devise-Two-Factor versions >= 2.2.0 & < 6.0.0 generate TOTP shared secrets that are 120 bits instead of the 128-bit minimum defined by RFC 4226. Using a shared secret shorter than the minimum to generate a multi-facto...
CVE-2021-43177
- EPSS 0.39%
- Veröffentlicht 11.04.2022 20:15:16
- Zuletzt bearbeitet 21.11.2024 06:28:46
As a result of an incomplete fix for CVE-2015-7225, in versions of devise-two-factor prior to 4.0.2 it is possible to reuse a One-Time-Password (OTP) for one (and only one) immediately trailing interval. CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U...
CVE-2015-7225
- EPSS 0.65%
- Veröffentlicht 06.09.2017 21:29:00
- Zuletzt bearbeitet 20.04.2025 01:37:25
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credent...