{"id":"CVE-2024-5658","details":"The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.","aliases":["GHSA-96qm-hwhp-2rm8"],"modified":"2026-04-09T10:29:30.089260Z","published":"2024-06-06T11:15:49.573Z","references":[{"type":"WEB","url":"https://plugins.craftcms.com/two-factor-authentication?craft4"},{"type":"ADVISORY","url":"https://github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4"},{"type":"EVIDENCE","url":"https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use"},{"type":"EVIDENCE","url":"http://www.openwall.com/lists/oss-security/2024/06/06/2"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/born05/craft-twofactorauthentication","events":[{"introduced":"0"},{"fixed":"95af537ff3de0fe699d7f9a16a349fa870089387"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"3.3.4"}]}},{"type":"GIT","repo":"https://github.com/roelvanhintum/craft-twofactorauthentication","events":[{"introduced":"0"},{"fixed":"95af537ff3de0fe699d7f9a16a349fa870089387"}]}],"versions":["0.0.1","0.0.2","0.0.3","0.0.4","0.0.5","0.0.6","1.0.0","1.0.1","1.1.0","1.2.0","2.0.0","2.0.0-beta","2.0.0-beta.1","2.0.0-beta.10","2.0.0-beta.11","2.0.0-beta.12","2.0.0-beta.13","2.0.0-beta.14","2.0.0-beta.2","2.0.0-beta.3","2.0.0-beta.4","2.0.0-beta.5","2.0.0-beta.6","2.0.0-beta.7","2.0.0-beta.8","2.0.0-beta.9","2.1.0","2.1.0-beta.1","2.1.0-beta.2","2.1.1","2.1.2","2.10.0","2.2.0","2.3.0","2.4.0","2.5.0","2.6.0","2.6.1","2.6.2","2.6.3","2.7.0","2.7.0-beta.1","2.7.1","2.7.2","2.7.3","2.7.3.1","2.7.4","2.8.0","2.8.1","2.9.0","3.0.0","3.0.0-beta.1","3.0.1","3.1.0","3.2.0","3.2.1","3.3.0","3.3.1","3.3.2","3.3.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-5658.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"}]}