CraftCMS Plugin - Two-Factor Authentication - Password Hash Disclosure
Description
The CraftCMS plugin Two-Factor Authentication in versions 3.3.1, 3.3.2 and 3.3.3 discloses the password hash of the currently authenticated user after submitting a valid TOTP.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CraftCMS Two-Factor Authentication plugin versions 3.3.1–3.3.3 expose the authenticated user's password hash after a valid TOTP submission, enabling session hijackers to crack passwords and disable MFA.
The vulnerability is an information disclosure in the Two-Factor Authentication plugin for CraftCMS. After a user submits a valid TOTP (time-based one-time password), the server response includes the password hash of the authenticated user. This occurs on endpoints used for enrolling a second factor and during login verification [2][3].
Exploitation requires an attacker to have obtained a valid session of a victim (e.g., through session hijacking) and to know or be able to provide a valid TOTP for that user. The attacker can then submit the TOTP to the vulnerable endpoints and receive the password hash in the response [3]. The CVSS score is 3.7 (Low) due to the high complexity of obtaining a session and TOTP [3].
With the password hash, the attacker can attempt offline cracking to recover the plaintext password. If successful, they can disable MFA from within the hijacked session and establish new sessions as the victim, leading to full account compromise [3]. The vulnerability is fixed in version 3.3.4 [4].
- oss-security - [SBA-ADV-20240202-01] CVE-2024-5657: CraftCMS Plugin - Two-Factor Authentication 3.3.1 to 3.3.3
- advisories/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosure at public · sbaresearch/advisories
- Release 3.3.4 · roelvanhintum/craft-twofactorauthentication
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
born05/craft-twofactorauthenticationPackagist | >= 3.3.1, < 3.3.4 | 3.3.4 |
Affected products
3- Range: 3.3.1, 3.3.2, 3.3.3
- Born05/CraftCMS Plugin - Two-Factor Authenticationv5Range: 3.3.1
Patches
1eb93bcb73037fix: Exposure of Sensitive Attributes
1 file changed · +1 −1
src/controllers/VerifyController.php+1 −1 modified@@ -94,7 +94,7 @@ private function _handleSuccessfulLogin(\craft\elements\User $user): Response $return['csrfTokenValue'] = $this->request->getCsrfToken(); } - return $this->asModelSuccess($user, modelName: 'user', data: $return); + return $this->asSuccess(data: $return); } return $this->redirectToPostedUrl($userSession->getIdentity(), $returnUrl);
Vulnerability mechanics
Root cause
"The `_handleSuccessfulLogin` method returns the full User model via `asModelSuccess()`, which includes sensitive attributes such as the password hash, instead of returning only safe data."
Attack vector
An attacker who already possesses valid credentials for a CraftCMS account and can successfully complete the TOTP step of the two-factor authentication flow will receive a response containing the full User model. This response includes the password hash of the authenticated user [patch_id=26991]. The attacker does not need any special network position beyond normal HTTP access to the application. The vulnerability is triggered simply by submitting a valid TOTP code to the verification endpoint, causing the server to return the password hash in the JSON response.
Affected code
The vulnerability is in `src/controllers/VerifyController.php`, specifically in the `_handleSuccessfulLogin()` method. This method calls `$this->asModelSuccess($user, ...)` which serializes the entire `craft\elements\User` model into the HTTP response, exposing all its attributes including the password hash.
What the fix does
The patch replaces `$this->asModelSuccess($user, modelName: 'user', data: $return)` with `$this->asSuccess(data: $return)` [patch_id=26991]. The `asModelSuccess()` method serializes the entire User model (including sensitive attributes like the password hash) into the response, while `asSuccess()` returns only the explicitly provided `$return` array. This closes the information disclosure by ensuring the User model object is never included in the HTTP response payload.
Preconditions
- authAttacker must have valid credentials for a CraftCMS account.
- inputAttacker must submit a valid TOTP code to complete the two-factor authentication flow.
Generated on May 18, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-3p4x-grpm-xw58ghsaADVISORY
- github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-01_CraftCMS_Plugin_Two-Factor_Authentication_Password_Hash_Disclosureghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-5657ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/06/06/1ghsaWEB
- github.com/born05/craft-twofactorauthentication/commit/eb93bcb73037171dae8ca5cfa4c20e7e5748b73aghsaWEB
- github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4ghsarelease-notesWEB
- plugins.craftcms.com/two-factor-authenticationghsaproductWEB
News mentions
0No linked articles in our index yet.