Описание
Liferay DXP Missing Critical Step in Authentication
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.
Пакеты
Наименование
com.liferay:com.liferay.multi.factor.authentication.timebased.otp.web
maven
Затронутые версииВерсия исправления
< 2.0.25
2.0.25
Связанные уязвимости
CVSS3: 6.5
nvd
5 месяцев назад
Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92 and 7.3 GA through update 35 allows a time-based one-time password (TOTP) to be used multiple times during the validity period, which allows attackers with access to a user’s TOTP to authenticate as the user.