django-two-factor-auth@1.7.0 vulnerabilities

django-two-factor-auth is a Complete Two-Factor Authentication for Django

Affected versions of this package are vulnerable to Improper Authorization. This issue arises when a site's configuration permits users to circumvent the necessary two-factor authentication (2FA) process for login, such as improperly configured admin logins that allow access without 2FA. Consequently, an attacker can disable a user's two-factor devices and establish a new 2FA setup to access areas requiring one-time passwords (OTP). Additionally, this vulnerability could be exploited through any of the user's multiple active sessions, enabling the attacker to deactivate 2FA without needing the physical device.

Upgrade django-two-factor-auth to version 1.13 or higher.

django-two-factor-auth is a Complete Two-Factor Authentication for Django

Affected versions of this package are vulnerable to Insecure Permissions. It is possible that if a site has been misconfigured and allows users to bypass django-two-factor-auth's login view (e.g. the admin site hasn't been configured correctly and admins can login without 2fa) and then disable that user's two-factor device(s). At this point an attacker could go set up a new two-factor and gain access to views protected by otp_required.This bug could also be exploited if the user has multiple sessions open before enabling two-factor auth. Any other session could then disable two-factor auth without having access to the device.

Upgrade django-two-factor-auth to version 1.13 or higher.

django-two-factor-auth is a Complete Two-Factor Authentication for Django

Affected versions of this package are vulnerable to Insufficiently Protected Credentials. It stores the user's password in clear text in the user session (base64-encoded).

Upgrade django-two-factor-auth to version 1.12 or higher.