Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by xi

    CVE-2022-24857 (GCVE-0-2022-24857)

    Vulnerability from nvd – Published: 2022-04-15 18:50 – Updated: 2025-04-23 18:38
    VLAI
    Title
    Multi factor authentication bypass in django-mfa3
    Summary
    django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    xi django-mfa3 Affected: < 0.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:50.472Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220609-0003/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-24857",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T15:54:10.990167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:38:55.074Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "django-mfa3",
              "vendor": "xi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (\u003c 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url(\u0027admin/login/\u0027, lambda request: redirect(settings.LOGIN_URL)"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-09T18:06:11.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220609-0003/"
            }
          ],
          "source": {
            "advisory": "GHSA-3r7g-wrpr-j5g4",
            "discovery": "UNKNOWN"
          },
          "title": "Multi factor authentication bypass in django-mfa3",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2022-24857",
              "STATE": "PUBLIC",
              "TITLE": "Multi factor authentication bypass in django-mfa3"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "django-mfa3",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 0.5.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "xi"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (\u003c 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url(\u0027admin/login/\u0027, lambda request: redirect(settings.LOGIN_URL)"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
                },
                {
                  "name": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de",
                  "refsource": "MISC",
                  "url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
                },
                {
                  "name": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15",
                  "refsource": "MISC",
                  "url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220609-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220609-0003/"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-3r7g-wrpr-j5g4",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-24857",
        "datePublished": "2022-04-15T18:50:11.000Z",
        "dateReserved": "2022-02-10T00:00:00.000Z",
        "dateUpdated": "2025-04-23T18:38:55.074Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-24857 (GCVE-0-2022-24857)

    Vulnerability from cvelistv5 – Published: 2022-04-15 18:50 – Updated: 2025-04-23 18:38
    VLAI
    Title
    Multi factor authentication bypass in django-mfa3
    Summary
    django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (< 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url('admin/login/', lambda request: redirect(settings.LOGIN_URL)
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    xi django-mfa3 Affected: < 0.5.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T04:20:50.472Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
              },
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://security.netapp.com/advisory/ntap-20220609-0003/"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-24857",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-23T15:54:10.990167Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-23T18:38:55.074Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "django-mfa3",
              "vendor": "xi",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.5.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (\u003c 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url(\u0027admin/login/\u0027, lambda request: redirect(settings.LOGIN_URL)"
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287: Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-06-09T18:06:11.000Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
            },
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://security.netapp.com/advisory/ntap-20220609-0003/"
            }
          ],
          "source": {
            "advisory": "GHSA-3r7g-wrpr-j5g4",
            "discovery": "UNKNOWN"
          },
          "title": "Multi factor authentication bypass in django-mfa3",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "security-advisories@github.com",
              "ID": "CVE-2022-24857",
              "STATE": "PUBLIC",
              "TITLE": "Multi factor authentication bypass in django-mfa3"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "django-mfa3",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "\u003c 0.5.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "xi"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "django-mfa3 is a library that implements multi factor authentication for the django web framework. It achieves this by modifying the regular login view. Django however has a second login view for its admin area. This second login view was not modified, so the multi factor authentication can be bypassed. Users are affected if they have activated both django-mfa3 (\u003c 0.5.0) and django.contrib.admin and have not taken any other measures to prevent users from accessing the admin login view. The issue has been fixed in django-mfa3 0.5.0. It is possible to work around the issue by overwriting the admin login route, e.g. by adding the following URL definition *before* the admin routes: url(\u0027admin/login/\u0027, lambda request: redirect(settings.LOGIN_URL)"
                }
              ]
            },
            "impact": {
              "cvss": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287: Improper Authentication"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/xi/django-mfa3/security/advisories/GHSA-3r7g-wrpr-j5g4"
                },
                {
                  "name": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de",
                  "refsource": "MISC",
                  "url": "https://github.com/xi/django-mfa3/commit/32f656e22df120b84bdf010e014bb19bd97971de"
                },
                {
                  "name": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15",
                  "refsource": "MISC",
                  "url": "https://github.com/xi/django-mfa3/blob/main/CHANGES.md#050-2022-04-15"
                },
                {
                  "name": "https://security.netapp.com/advisory/ntap-20220609-0003/",
                  "refsource": "CONFIRM",
                  "url": "https://security.netapp.com/advisory/ntap-20220609-0003/"
                }
              ]
            },
            "source": {
              "advisory": "GHSA-3r7g-wrpr-j5g4",
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2022-24857",
        "datePublished": "2022-04-15T18:50:11.000Z",
        "dateReserved": "2022-02-10T00:00:00.000Z",
        "dateUpdated": "2025-04-23T18:38:55.074Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }