VYPR

CWE-308

Use of Single-factor Authentication

BaseDraftLikelihood: High

Description

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Hierarchy (View 1000)

Children

none

Related attack patterns (CAPEC)

CAPEC-16 · CAPEC-49 · CAPEC-509 · CAPEC-55 · CAPEC-555 · CAPEC-560 · CAPEC-561 · CAPEC-565 · CAPEC-600 · CAPEC-644 · CAPEC-645 · CAPEC-652 · CAPEC-653 · CAPEC-70

CVEs mapped to this weakness (5)

  • CVE-2026-45749HigJun 5, 2026
    risk 0.53cvss 8.1epss 0.00

    Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor…

  • CVE-2025-42959HigJul 8, 2025
    risk 0.53cvss 8.1epss 0.00

    An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched,…

  • CVE-2024-27928Jun 5, 2026
    risk 0.00cvss epss 0.00

    ### Impact If an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue…

  • CVE-2025-64103Oct 29, 2025
    risk 0.00cvss epss 0.00

    Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated…

  • CVE-2023-49075Nov 28, 2023
    risk 0.00cvss epss 0.01

    The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide…