Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
History

No history.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-09-06T21:00:00

Updated: 2024-08-06T07:43:45.764Z

Reserved: 2015-09-17T00:00:00

Link: CVE-2015-7225

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Modified

Published: 2017-09-06T21:29:00.957

Modified: 2024-11-21T02:36:22.910

Link: CVE-2015-7225

cve-icon Redhat

No data.