django-two-factor-auth@0.4.0 vulnerabilities
Complete Two-Factor Authentication for Django
-
latest version
1.17.0
-
latest non vulnerable version
-
first published
12 years ago
-
latest version published
3 months ago
-
licenses detected
- [0,)
Direct Vulnerabilities
Known vulnerabilities in the django-two-factor-auth package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.Vulnerability | Vulnerable Version |
---|---|
django-two-factor-auth is a Complete Two-Factor Authentication for Django Affected versions of this package are vulnerable to Improper Authorization. This issue arises when a site's configuration permits users to circumvent the necessary two-factor authentication (2FA) process for login, such as improperly configured admin logins that allow access without 2FA. Consequently, an attacker can disable a user's two-factor devices and establish a new 2FA setup to access areas requiring one-time passwords (OTP). Additionally, this vulnerability could be exploited through any of the user's multiple active sessions, enabling the attacker to deactivate 2FA without needing the physical device. How to fix Improper Authorization? Upgrade |
[,1.13)
|
django-two-factor-auth is a Complete Two-Factor Authentication for Django Affected versions of this package are vulnerable to Insecure Permissions. It is possible that if a site has been misconfigured and allows users to bypass django-two-factor-auth's login view (e.g. the admin site hasn't been configured correctly and admins can login without 2fa) and then disable that user's two-factor device(s). At this point an attacker could go set up a new two-factor and gain access to views protected by How to fix Insecure Permissions? Upgrade |
[0,1.13)
|
django-two-factor-auth is a Complete Two-Factor Authentication for Django Affected versions of this package are vulnerable to Insufficiently Protected Credentials. It stores the user's password in clear text in the user session (base64-encoded). How to fix Insufficiently Protected Credentials? Upgrade |
[,1.12)
|