Description
The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider.
CVSS breakdown
CVSS 4.0
Attack Vector
Network
Attack Complexity
High
Attack Requirements
Present
Privileges Required
Low
User Interaction
None
Confidentiality (Vulnerable System)
High
Integrity (Vulnerable System)
High
Availability (Vulnerable System)
High
Confidentiality (Subsequent System)
None
Integrity (Subsequent System)
None
Availability (Subsequent System)
None
Affected products
- TYPO3 / Extension "E-Mail MFA Provider"0 – 1.0.5
- TYPO3 / Extension "E-Mail MFA Provider"2.0.0 – 2.0.0