Vulnerability Description
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Craftcms | Craft Cms | >= 5.0.1, < 5.2.3 |
Related Weaknesses (CWE)
References
- https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38Patch
- https://github.com/craftcms/cms/releases/tag/5.2.3Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jxVendor Advisory
- https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CThird Party Advisory
- https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38Patch
- https://github.com/craftcms/cms/releases/tag/5.2.3Release Notes
- https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jxVendor Advisory
- https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CThird Party Advisory
FAQ
What is CVE-2024-41800?
CVE-2024-41800 is a vulnerability with a CVSS score of 4.8 (MEDIUM). Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authe...
How severe is CVE-2024-41800?
CVE-2024-41800 has been rated MEDIUM with a CVSS base score of 4.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-41800?
Check the references section above for vendor advisories and patch information. Affected products include: Craftcms Craft Cms.