7.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-9phw-7h96-q3rv

EPSS Score

CWE

CWE-287

Published

5/21/2024

Updated

5/21/2024

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-9phw-7h96-q3rv

GHSA-9phw-7h96-q3rv: scheb/two-factor-bundle bypass two-factor authentication with remember-me option

In versions prior to 3.26.0 and prior to 4.11.0 of the "scheb/two-factor-bundle" project, a security vulnerability allowed attackers to bypass two-factor authentication (2FA) using the remember_me cookie. When the remember_me checkbox was used during login, a "REMEMBERME" cookie was created. Upon redirection to the 2FA page, attackers could manipulate the SESSIONID key, granting access to the homepage "/" and gaining authentication without completing 2FA.

(GitHub Advisory)

7.4

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-9phw-7h96-q3rv

EPSS Score

CWE

CWE-287

Published

5/21/2024

Updated

5/21/2024

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
scheb/two-factor-bundle	composer	>= 4.0.0, < 4.11.0	4.11.0
scheb/two-factor-bundle	composer	< 3.26.0	3.26.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from the absence of the RememberMeServicesDecorator in the bundle's code prior to the patch. This decorator prevents the remember-me cookie from being set during the initial authentication step when two-factor authentication is required. In vulnerable versions, the Symfony's default remember-me service implementation (not part of the bundle) would set the cookie immediately after the first authentication step, allowing bypass before 2FA completion. The bundle's code didn't contain vulnerable functions per se, but lacked the necessary decorator to properly intercept and delay cookie creation. The core vulnerability stems from missing safeguards in the integration layer rather than specific vulnerable functions in the bundle's code.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In v*rsions prior to *.**.* *n* prior to *.**.* o* t** "s****/two-***tor-*un*l*" proj**t, * s**urity vuln*r**ility *llow** *tt**k*rs to *yp*ss two-***tor *ut**nti**tion (***) usin* t** r*m*m**r_m* *ooki*. W**n t** r*m*m**r_m* ****k*ox w*s us** *urin*

Reasoning

T** vuln*r**ility *ris*s *rom t** **s*n** o* t** `R*m*m**rM*S*rvi**s***or*tor` in t** *un*l*'s *o** prior to t** p*t**. T*is ***or*tor pr*v*nts t** r*m*m**r-m* *ooki* *rom **in* s*t *urin* t** initi*l *ut**nti**tion st*p w**n two-***tor *ut**nti**tio

7.4

Basic Information

Concerned about an active attack path?

GHSA-9phw-7h96-q3rv: scheb/two-factor-bundle bypass two-factor authentication with remember-me option

7.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI