Multi Factor Authentication Token Improperly Validated On User Login

Critical

0xAda published GHSA-fw57-f7mq-9q85

Feb 26, 2021

Package

RACTF Core (django)

Affected versions

>c57a4d186bfc586ad3edfe4dcba9f11efbf22f09

Patched versions

cebb67bd16a8296121201805332365ffccb29638

Description

Impact

Users with multi factor authentication enabled are able to log in without a valid token.

Patches

Patched in commit cebb67b

Workarounds

There are no workarounds available at this time.

References

c57a4d1#diff-60c444c47c061306f2dff5bf97c07810f40f949a8e94ecbb609b6b29364c8642R130-R152

For more information

If you have any questions or comments about this advisory:

Open an issue in core
Email us at security@ractf.co.uk

Severity

Critical

9.1

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

High

Privileges required

None

User interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H