Benoit Côté-Jodoin and Michael Nipper discovered that Devise-Two-Factor incorrectly handled one-time password validation. An attacker could possibly use this issue to intercept and re-use a one-time password. (CVE-2021-43177) Garrett Rappaport discovered that Devise-Two-Factor incorrectly handled generating multi-factor authentication codes. An attacker could possibly use this issue to generate valid multi-factor authentication codes. (CVE-2024-8796)
Continue reading...
Continue reading...