Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Tinyauth vulnerable to TOTP/2FA bypass via OIDC authorize endpoint
Vulnerability Description
Tinyauth is an authentication and authorization server. Prior to 5.0.3, the OIDC authorization endpoint allows users with a TOTP-pending session (password verified, TOTP not yet completed) to obtain authorization codes. An attacker who knows a user's password but not their TOTP secret can obtain valid OIDC tokens, completely bypassing the second factor. This vulnerability is fixed in 5.0.3.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
Tinyauth 授权问题漏洞
Vulnerability Description
Tinyauth是Stavros个人开发者的一个认证授权服务器。 Tinyauth 5.0.3之前版本存在授权问题漏洞,该漏洞源于OIDC授权端点允许具有待处理TOTP会话的用户获取授权码,可能导致攻击者完全绕过第二因素验证。
CVSS Information
N/A
Vulnerability Type
N/A