CVE-2024-5657

Summary

CVE-2024-5657 is a vulnerability affecting the Two-Factor Authentication plugin in CraftCMS versions 3.3.1, 3.3.2, and 3.3.3. After a valid Two-Factor Authentication (TOTP) code is submitted, the plugin inadvertently discloses the password hash of the currently authenticated user, posing a significant security risk. An attacker who exploits this vulnerability could gain unauthorized access to user accounts. The disclosure of password hashes may also facilitate password guessing or brute-force attacks. Users are advised to update their CraftCMS installations to the latest version, 3.3.4, which includes a fix for this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.