vulnerability

Debian: CVE-2015-7225: ruby-devise-two-factor -- security update

Try Surface Command

Back to search

Severity	CVSS	Published	Added	Modified
4	(AV:N/AC:M/Au:S/C:P/I:N/A:N)	2017-09-06	2024-07-30	2025-04-23

Severity

CVSS

(AV:N/AC:M/Au:S/C:P/I:N/A:N)

Published

2017-09-06

Added

2024-07-30

Modified

2025-04-23

Description

Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.

Solution

debian-upgrade-ruby-devise-two-factor

References

CVE-2015-7225
https://attackerkb.com/topics/CVE-2015-7225

NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today