漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Filament: Multi-factor authentication (app) recovery codes can still be used multiple times via concurrent submission
Vulnerability Description
Filament is a collection of full-stack components for accelerated Laravel development. From 4.0.0 until 4.11.5 and 5.6.5, a flaw in the handling of recovery codes for app-based multi-factor authentication allows the same recovery code to be reused via concurrent submission. This issue does not affect email-based MFA. It also only applies when recovery codes are enabled. If an attacker gains access to both the user's password and their recovery codes, they get two authenticated sessions per recovery code burned instead of one, or more if they batch the parallel submissions wider, materially extending the attacker's window of access compared to what the single-use guarantee implies. This vulnerability is fixed in 4.11.5 and 5.6.5.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
使用共享资源的并发执行不恰当同步问题(竞争条件)
Vulnerability Title
filamentphp filament 竞争条件问题漏洞
Vulnerability Description
filamentphp filament是filamentphp团队开源的一套Laravel后台管理面板。 filamentphp filament 4.0.0至4.11.5之前版本和5.0.0至5.6.5之前版本存在安全漏洞,该漏洞源于处理应用多因素认证的恢复码时存在竞争条件问题,可能导致同一恢复码通过并发提交重复使用。
CVSS Information
N/A
Vulnerability Type
N/A