Home > Vulnerability Database > WS-2019-0187

Mend.io Vulnerability Database

WS-2019-0187

Good to know:

Date: July 22, 2019

Versions of otpauth prior to 3.2.8 are vulnerable to Authentication Bypass. The package's totp.validate() function may return positive values for single digit tokens even if they are invalid. This may allow attackers to bypass the OTP authentication by providing single digit tokens.

Language: JS

Severity Score

7.5

Related Resources (3)

Url: https://github.com/hectorm/otpauth/compare/v3.2.7...v3.2.8

Url: https://github.com/hectorm/otpauth/commit/662ee16acfd92571a86e3efeeefff246abe8be78,https://github.com/hectorm/otpauth/commit/ae89817972ea5ee544dd2f567657acad4d1bb048

Url: https://www.mend.io/vulnerability-database/WS-2019-0187

Severity Score

7.5

Weakness Type (CWE)

Authentication Bypass Using an Alternate Path or Channel

CWE-288

Top Fix

Upgrade Version

Upgrade to version 3.2.8

Learn More

CVSS v3.1

Base Score:	7.5
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	NONE
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

WS-2019-0187

Good to know:

Date: July 22, 2019

Language: JS

Severity Score

Related Resources (3)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?