Vikunja TOTP Reuse Vulnerability in Two-Factor Authentication
Vulnerability
A vulnerability exists in Vikunja, an open-source task management platform, allowing users with two-factor authentication (2FA) enabled to reuse their Time-based One-Time Passwords (TOTPs) within the standard 30-second validity period. This issue is present in Vikunja versions 0.13 and 2.2.0, prior to 2.2.1, and can disrupt the effectiveness of 2FA by enabling multiple authentications with the same TOTP code.
Impact
Exploitation of this vulnerability could lead to unauthorized access by allowing users to authenticate multiple sessions using the same TOTP code within its validity window.
Reproduction
To reproduce this vulnerability, a user must have 2FA enabled on their Vikunja account. After logging in with a valid username, password, and TOTP code, the same TOTP code can be used again within the 30-second window to authenticate additional sessions. This can be demonstrated by capturing the TOTP code and reusing it before it expires.
Remediation
Users should update to Vikunja version 2.2.1 or later, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.