Bubka 2Fauth vulnerabilities
4 known vulnerabilities affecting bubka/2fauth.
Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH1MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-32133P2CRITICALCVSS 9.1fixed in 6.1.02026-03-11
CVE-2026-32133 [CRITICAL] CWE-918 CVE-2026-32133: 2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security c
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Prior to 6.1.0, a blind SSRF vulnerability exists in 2FAuth that allows authenticated users to make arbitrary HTTP requests from the server to internal networks and cloud metadata endpoints. The image parameter in OTP URL is not properly valid
nvd
CVE-2024-52598P3HIGHCVSS 7.5fixed in 5.4.12024-11-20
CVE-2024-52598 [HIGH] CWE-79 CVE-2024-52598: 2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security c
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Two interconnected vulnerabilities exist in version 5.4.1 a SSRF and URI validation bypass issue. The endpoint at POST /api/v1/twofaccounts/preview allows setting a remote URI to retrieve the image of a 2fa site. By abusing this functionality, it i
nvd
CVE-2024-52597P4MEDIUMCVSS 6.1fixed in 5.4.12024-11-20
CVE-2024-52597 [MEDIUM] CWE-79 CVE-2024-52597: 2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security c
2FAuth is a web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Versions prior to 5.4.1 are vulnerable to stored cross-site scripting due to improper headers in direct access to uploaded SVGs. The application allows uploading images in several places. One of the accepted types of image is SVG, which allows JS
nvd
CVE-2023-36816P4MEDIUMCVSS 6.1fixed in 4.0.32023-07-03
CVE-2023-36816 [MEDIUM] CWE-79 CVE-2023-36816: 2FA is a Web app to manage Two-Factor Authentication (2FA) accounts and generate their security code
2FA is a Web app to manage Two-Factor Authentication (2FA) accounts and generate their security codes. Cross site scripting (XSS) injection can be done via the account/service field. This was tested in docker-compose environment. This vulnerability has been patched in version 4.0.3.
nvd