You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Craft CMS 5 allows reuse of TOTP tokens multiple times within the
validity period.
Impact
An attacker is able to re-submit a valid TOTP token to establish an
authenticated session. This requires that the attacker has knowledge of the
victim's credentials.
A TOTP token can be used multiple times to establish an authenticated session. RFC 6238 insists that an OTP must not be used more than once.
The verifier MUST NOT accept the second attempt of the OTP after the
successful validation has been issued for the first OTP, which ensures
one-time only use of an OTP.
Verify that time-based OTP can be used only once within the validity period.
It should also be noted that the validity period of an TOTP token is 2
minutes. This makes a successful brute force attack more likely, since the
four tokens are valid at the same time.
Craft CMS 5 allows reuse of TOTP tokens multiple times within the
validity period.
Impact
An attacker is able to re-submit a valid TOTP token to establish an
authenticated session. This requires that the attacker has knowledge of the
victim's credentials.
A TOTP token can be used multiple times to establish an authenticated session.
RFC 6238 insists that an OTP must not be used more than once.
The OWASP Application Security Verification Standard v4.0.3 (ASVS) reiterates
this property with requirement 2.8.4.
It should also be noted that the validity period of an TOTP token is 2
minutes. This makes a successful brute force attack more likely, since the
four tokens are valid at the same time.
Patches
This has been patched in Craft 5.2.3.
References:
https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use
https://github.com/craftcms/cms/releases/tag/5.2.3