CVE-2023-36816 MEDIUM

CVE-2023-36816: Cross-Site Scripting (XSS) at Account creation in 2FAuth

Vendor Bubka
Product 2FAuth
Weakness CWE-79 · XSS
Published July 3, 2023
Last update November 22, 2024

CVSS base score

6.1/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

2FA is a Web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Cross site scripting (XSS) injection can be done via the account/service field. This was tested in docker-compose environment. This vulnerability has been patched in version 4.0.3.

Key dates

02Disclosure timeline

July 3, 2023 CVE published
November 22, 2024 Record updated