KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue 1 of 2).
mitre·CWE-294·Published 2019-06-27
KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue 1 of 2).
KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue 1 of 2).
KeyIdentity LinOTP before 2.10.5.3 has Incorrect Access Control (issue 1 of 2).
LinOTP is prone to a replay attack with activated automatic resynchronization. This vulnerability may allow an attacker to successfully log in with OTP values recorded at a previous point in time. This attack is only possible if automatic resynchronization is enabled for the TOTP token type. The automatic resynchronization is deactivated by default. All other tokens are unaffected.
KeyIdentity LinOTP anterior a 2.10.5.3 tiene un control de acceso incorrecto (problema 1 de 2).
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 6.8 | 8.6 | 6.4 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
| 3.0 | Primary | NVD | 8.1 | 2.2 | 5.9 | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 3.1 | Secondary | GHSA | 8.1 | — | — | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| 4.0 | Secondary | GHSA | 9.2 | — | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |