2FAuth has Blind SSRF in image parameter allows internal network access and more

2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly validated for internal / private IP addresses before making HTTP requests. While the previous fix added response validation to ensure only valid images are stored but HTTP request is still made to arbitrary URLs before this validation occurs. This vulnerability is fixed in 6.1.0.

N/A

服务端请求伪造(SSRF)

2FAuth 代码问题漏洞

2FAuth是Bubka个人开发者的一个用于管理双因素身份验证 (2FA) 帐户并生成其安全代码的 Web 应用程序。 2FAuth 6.1.0之前版本存在代码问题漏洞，该漏洞源于OTP URL中的image参数在发起HTTP请求前未正确验证内部或私有IP地址，可能导致经过身份验证的用户从服务器向内部网络和云元数据端点发起任意HTTP请求。

N/A

N/A