Medium severity5.3NVD Advisory· Published Sep 6, 2017· Updated May 13, 2026
CVE-2015-7225
CVE-2015-7225
Description
Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devise-two-factorRubyGems | < 2.0.0 | 2.0.0 |
Affected products
2- cpe:2.3:a:tinfoilsecurity:devise-two-factor:*:*:*:*:*:*:*:*Range: <=1.1.0
- ghsa-coordsRange: < 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- www.securityfocus.com/bid/76789nvdThird Party AdvisoryVDB Entry
- bugs.debian.org/cgi-bin/bugreport.cginvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-x489-jjwm-52g7ghsaADVISORY
- github.com/tinfoil/devise-two-factor/blob/master/UPGRADING.mdnvdThird Party AdvisoryWEB
- github.com/tinfoil/devise-two-factor/issues/45nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-7225ghsaADVISORY
- www.openwall.com/lists/oss-security/2015/06/20/4nvdMailing ListVDB EntryWEB
- www.openwall.com/lists/oss-security/2015/09/06/2ghsaWEB
- www.openwall.com/lists/oss-security/2015/09/17/2nvdMailing ListVDB EntryWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/devise-two-factor/CVE-2015-7225.ymlghsaWEB
- web.archive.org/web/20210122192452/https://www.securityfocus.com/bid/76789ghsaWEB
News mentions
0No linked articles in our index yet.