Skip to content

scheb/two-factor-bundle bypass two-factor authentication with remember-me option

High severity GitHub Reviewed Published May 21, 2024 to the GitHub Advisory Database • Updated May 21, 2024

Package

composer scheb/two-factor-bundle (Composer)

Affected versions

>= 4.0.0, < 4.11.0
< 3.26.0

Patched versions

4.11.0
3.26.0

Description

In versions prior to 3.26.0 and prior to 4.11.0 of the "scheb/two-factor-bundle" project, a security vulnerability allowed attackers to bypass two-factor authentication (2FA) using the remember_me cookie. When the remember_me checkbox was used during login, a "REMEMBERME" cookie was created. Upon redirection to the 2FA page, attackers could manipulate the SESSIONID key, granting access to the homepage "/" and gaining authentication without completing 2FA.

References

Published to the GitHub Advisory Database May 21, 2024
Reviewed May 21, 2024
Last updated May 21, 2024

Severity

High
7.4
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-9phw-7h96-q3rv

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.