CVE-2025-42615
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
08/12/2025
Última modificación:
08/12/2025
Descripción
*** Pendiente de traducción *** In affected versions, vulnerability-lookup did not track or limit failed<br />
One-Time Password (OTP) attempts during Two-Factor Authentication (2FA)<br />
verification. An attacker who already knew or guessed a valid username <br />
and password could submit an arbitrary number of OTP codes without <br />
causing the account to be locked or generating any specific alert for <br />
administrators.<br />
<br />
<br />
This lack of rate-limiting and lockout on OTP failures significantly <br />
lowers the cost of online brute-force attacks against 2FA codes and <br />
increases the risk of successful account takeover, especially if OTP <br />
entropy is reduced (e.g. short numeric codes, user reuse, or predictable<br />
tokens). Additionally, administrators had no direct visibility into <br />
accounts experiencing repeated 2FA failures, making targeted attacks <br />
harder to detect and investigate.<br />
<br />
<br />
The patch introduces a persistent failed_otp_attempts counter on user <br />
accounts, locks the user after 5 invalid OTP submissions, resets the <br />
counter on successful verification, and surfaces failed 2FA attempts in <br />
the admin user list. This enforces an account lockout policy for OTP <br />
brute-force attempts and improves monitoring capabilities for suspicious<br />
2FA activity.This issue affects Vulnerability-Lookup: before 2.18.0.
Impacto
Puntuación base 4.0
8.10
Gravedad 4.0
ALTA