CraftCMS Plugin - Two-Factor Authentication - TOTP Token Stays Valid After Use
Description
The CraftCMS plugin Two-Factor Authentication through 3.3.3 allows reuse of TOTP tokens multiple times within the validity period.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The CraftCMS Two-Factor Authentication plugin through 3.3.3 fails to invalidate TOTP tokens after use, allowing reuse within the validity period.
The CraftCMS Two-Factor Authentication plugin versions 3.3.3 and earlier do not enforce one-time use of Time-based One-Time Password (TOTP) tokens. According to RFC 6238, a TOTP must not be accepted more than once; however, the plugin accepts the same token multiple times if used within its validity window [1][3].
An attacker who possesses a valid TOTP token and knows the victim's credentials can reuse that token to establish multiple authenticated sessions. For example, starting the login process in two separate browsers and submitting the same TOTP simultaneously can both succeed, as demonstrated in the proof of concept [1][3].
Successful exploitation allows an attacker to bypass the intended two-factor authentication and gain repeated access to the victim's account without generating new tokens. The CVSS base score is 4.8 (Medium), reflecting the need for prior knowledge of credentials but relatively low attack complexity [2][3].
The vulnerability is fixed in version 3.3.4 of the plugin. Users are strongly advised to update to this version or later to ensure TOTP tokens are invalidated after a single use [4].
- oss-security - [SBA-ADV-20240202-02] CVE-2024-5658: CraftCMS Plugin - Two-Factor Authentication through 3.3.3
- NVD - CVE-2024-5658
- advisories/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Use at public · sbaresearch/advisories
- Release 3.3.4 · roelvanhintum/craft-twofactorauthentication
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
born05/craft-twofactorauthenticationPackagist | < 3.3.4 | 3.3.4 |
Affected products
3- Range: <=3.3.3
- Born05/CraftCMS Plugin - Two-Factor Authenticationv5Range: 0
Patches
189d2339463c0fix: Corrected the single use token time window
1 file changed · +14 −6
src/services/Verify.php+14 −6 modified@@ -183,9 +183,7 @@ private function getUserRecord(User $user) */ private function isTokenUsed($token, User $user): bool { - $settings = TwoFactorAuth::$plugin->getSettings(); - $delay = is_int($settings->totpDelay) ? $settings->totpDelay : 0; - $start = new \DateTime("-$delay seconds"); + $start = $this->getTotpStartTime(); // Find the token used by user in the current window. $userTokenRecord = UserTokenRecord::find() @@ -230,9 +228,7 @@ private function insertToken($token, User $user) */ public function removeOldTokens(User $user) { - $settings = TwoFactorAuth::$plugin->getSettings(); - $delay = is_int($settings->totpDelay) ? $settings->totpDelay : 0; - $start = new \DateTime("-$delay seconds"); + $start = $this->getTotpStartTime(); $userTokenRecords = UserTokenRecord::find() ->where([ @@ -245,4 +241,16 @@ public function removeOldTokens(User $user) $userTokenRecord->delete(); } } + + /** + * Get TOTP start time + * @return \DateTime + */ + private function getTotpStartTime(): \DateTime + { + $settings = TwoFactorAuth::$plugin->getSettings(); + $delay = is_int($settings->totpDelay) ? $settings->totpDelay : 0; + $window = 31 + $delay; // Default window is 30 seconds, but we add 1 second to be sure. + return new \DateTime("-$window seconds"); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-96qm-hwhp-2rm8ghsaADVISORY
- github.com/sbaresearch/advisories/tree/public/2024/SBA-ADV-20240202-02_CraftCMS_Plugin_Two-Factor_Authentication_TOTP_Valid_After_Useghsathird-party-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-5658ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/06/06/2ghsaWEB
- github.com/born05/craft-twofactorauthentication/commit/89d2339463c0f3ee690e707d4bc8501360885289ghsaWEB
- github.com/born05/craft-twofactorauthentication/releases/tag/3.3.4ghsarelease-notesWEB
- plugins.craftcms.com/two-factor-authenticationghsaproductWEB
News mentions
0No linked articles in our index yet.