CVE-2024-41800
Craft is a content management system (CMS). Craft CMS 5 allows reuse of TOTP tokens multiple times within the validity period. An attacker is able to re-submit a valid TOTP token to establish an authenticated session. This requires that the attacker has knowledge of the victim's credentials. This has been patched in Craft 5.2.3.
| Software | From | Fixed in |
|---|---|---|
craftcms / cms
|
5.0.0-beta.1 | 5.2.3 |
| craftcms / craft_cms | 5.0.1 | 5.2.3 |
| craftcms / craft_cms | 5.0.0-beta1 | 5.0.0-beta1.x |
| craftcms / craft_cms | 5.0.0-beta10 | 5.0.0-beta10.x |
| craftcms / craft_cms | 5.0.0-beta11 | 5.0.0-beta11.x |
| craftcms / craft_cms | 5.0.0-beta2 | 5.0.0-beta2.x |
| craftcms / craft_cms | 5.0.0-beta3 | 5.0.0-beta3.x |
| craftcms / craft_cms | 5.0.0-beta4 | 5.0.0-beta4.x |
| craftcms / craft_cms | 5.0.0-beta5 | 5.0.0-beta5.x |
| craftcms / craft_cms | 5.0.0-beta6 | 5.0.0-beta6.x |
| craftcms / craft_cms | 5.0.0-beta7 | 5.0.0-beta7.x |
| craftcms / craft_cms | 5.0.0-beta8 | 5.0.0-beta8.x |
| craftcms / craft_cms | 5.0.0-beta9 | 5.0.0-beta9.x |
| craftcms / craft_cms | 5.0.0-rc1 | 5.0.0-rc1.x |
- https://github.com/craftcms/cms/commit/7c790fa5ad5a8cb8016cb6793ec3554c4c079e38
- https://github.com/craftcms/cms/releases/tag/5.2.3
- https://github.com/craftcms/cms/security/advisories/GHSA-wmx7-pw49-88jx
- https://github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240617-01_CraftCMS_TOTP_Valid_After_Use
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime