Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Vikunja ahs a TOTP Two-Factor Authentication Bypass via OIDC Login Path
Vulnerability Description
Vikunja is an open-source self-hosted task management platform. Prior to 2.3.0, the OIDC callback handler issues a full JWT token without checking whether the matched user has TOTP two-factor authentication enabled. When a local user with TOTP enrolled is matched via the OIDC email fallback mechanism, the second factor is completely skipped. This vulnerability is fixed in 2.3.0.
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
认证机制不恰当
Vulnerability Title
Vikunja 授权问题漏洞
Vulnerability Description
Vikunja是Vikunja开源的一个待办事项应用程序。 Vikunja 2.3.0之前版本存在授权问题漏洞,该漏洞源于OIDC回调处理程序在未检查匹配用户是否启用TOTP双因素身份验证的情况下即颁发完整JWT令牌,可能导致完全跳过第二因素验证。
CVSS Information
N/A
Vulnerability Type
N/A