Description
Versions of otpauth prior to 3.2.8 are vulnerable to Authentication Bypass. The package’s totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.
Recommendation
Update the otpauth package to the latest compatible version. Followings are version details:
- Affected version(s): < 3.2.8
- Patched version(s): 3.2.8
References
Related Issues
- ZDI-CAN-23894: Parse Server literalizeRegexPart SQL Injection Authentication Bypass Vulnerability - CVE-2024-39309
- Authentication bypass vulnerability in Apple Game Center auth adapter - CVE-2022-31083
- Authentication Bypass in @strapi/plugin-users-permissions - Vulnerability
- @strapi/plugin-users-permissions leaks 3rd party authentication tokens and authentication bypass - CVE-2024-34065
- Tags:
- npm
- otpauth
Anything's wrong? Let us know Last updated on January 09, 2023