Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
2FAuth vulnerable to stored cross-site scripting via SVG upload and direct access render
Vulnerability Description
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS scripting. Therefore, by uploading a malicious SVG which contains JS code, an attacker which is able to drive a victim to the uploaded image could compromise that victim's session and access to their tokens. Version 5.4.1 contains a patch for the issue.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Vulnerability Title
2FAuth 安全漏洞
Vulnerability Description
2FAuth是Bubka个人开发者的一个用于管理双因素身份验证 (2FA) 帐户并生成其安全代码的 Web 应用程序。 2FAuth v5.4.1之前版本存在安全漏洞,该漏洞源于直接访问上传的SVG时标头不正确,容易受到存储型跨站脚本攻击。
CVSS Information
N/A
Vulnerability Type
N/A