CVE-2024-5657

LOW

CraftCMS <3.3.3 - Info Disclosure

Title source: llm

Description

The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.

References (4)

[Exploit, Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2024/06/06/1

[Release Notes] https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4

[Exploit, Third Party Advisory] https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure

View Exploit ZIP pw:eip

[Product] https://plugins.craftcms.com/two-factor-authentication?craft4

Scores

CVSS v3 3.7

EPSS 0.0021

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Classification

CWE

CWE-522 CWE-499

Status published

Affected Products (2)

born05/two-factor_authentication < 3.3.4

born05/craft-twofactorauthentication < 3.3.4Packagist

Timeline

Published Jun 06, 2024

Tracked Since Feb 18, 2026