CVEbaza.plSłownik CWECWE-308
Common Weakness Enumeration

CWE-308

Use of Single-factor Authentication

Kategoria: BaseCVE: 12
Opis

Produkt wykorzystuje algorytm uwierzytelniania, który używa tylko jednego czynnika (np. hasła) w kontekście bezpieczeństwa wymagającym więcej niż jednego czynnika. Stanowi to podatność na ataki i obniża poziom bezpieczeństwa dostępu do systemu.

Description (EN)

The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.

Podatności CVE z CWE-308 (12)
8.7
CVSS
HIGH
CVE-2025-64103

Starting from 2.53.6, 2.54.3, and 2.55.0, Zitadel only required multi factor authentication in case the login policy has either enabled requireMFA or requireMFAForLocalUsers. If a user has set up MFA without this requirement, Zitadel would consider single factor auhtenticated sessions as valid as well and not require multiple factors. Bypassing second authentication factors weakens multifactor authentication and enables attackers to bypass the more secure factor. An attacker can target the TOTP code alone, only six digits, bypassing password verification entirely and potentially compromising accounts with 2FA enabled. This vulnerability is fixed in 4.6.0, 3.4.3, and 2.71.18.

pub. 2025-10-29
8.4
CVSS
HIGH
CVE-2023-49075

The Admin Classic Bundle provides a Backend UI for Pimcore. `AdminBundle\Security\PimcoreUserTwoFactorCondition` introduced in v11 disable the two factor authentication for all non-admin security firewalls. An authenticated user can access the system without having to provide the two factor credentials. This issue has been patched in version 1.2.2.

pub. 2023-11-28
8.1
CVSS
HIGH
CVE-2026-45749

Termix is a web-based server management platform with SSH terminal, tunneling, and file editing capabilities. The `POST /users/totp/disable` and `POST /users/totp/backup-codes` endpoints in Termix prior to version 2.3.2 accept the account password as a sole authentication factor for MFA-critical operations. An attacker who obtains a user's password (phishing, credential stuffing, the passwordHash leak in GHSA-xxxx) can disable TOTP entirely or regenerate backup codes, without ever possessing the TOTP device or knowing a valid TOTP code. This renders two-factor authentication ineffective. Version 2.3.2 patches the issue.

pub. 2026-06-05
8.1
CVSS
HIGH
CVE-2025-42959

An unauthenticated attacker may exploit a scenario where a Hashed Message Authentication Code (HMAC) credential, extracted from a system missing specific security patches, is reused in a replay attack against a different system. Even if the target system is fully patched, successful exploitation could result in complete system compromise, affecting confidentiality, integrity, and availability.

pub. 2025-07-08
7.6
CVSS
HIGH
CVE-2024-47652

This vulnerability exists in Shilpi Client Dashboard due to implementation of inadequate authentication mechanism in the login module wherein access to any users account is granted with just their corresponding mobile number. A remote attacker could exploit this vulnerability by providing mobile number of targeted user, to obtain complete access to the targeted user account.

pub. 2024-10-04
6.9
CVSS
MEDIUM
CVE-2026-56022

Webmin accepts basic authentication without session cookies when an attacker provides the 'User-Agent: webmin' header, allowing bypass of additional MFA requirements. Fixed in 2.641.

pub. 2026-06-18
5.9
CVSS
MEDIUM
CVE-2024-27928

vantage6 is an open-source infrastructure for privacy preserving analysis. Prior to version 5.0.0, if an attacker hacks into a vantage6 user's email account, they can 1) reset the password via email and then 2) reset the 2FA token via email. This way they reduce 2FA to 1FA (email access). Note that most email providers require 2FA to access email, so this issue is not very likely to cause issues. Version 5.0.0 fixes the issue. No known workarounds are available.

pub. 2026-06-17
5.3
CVSS
MEDIUM
CVE-2023-25681

LDAP users on IBM Spectrum Virtualize 8.5 which are configured to require multifactor authentication can still authenticate to the CIM interface using only username and password. This does not affect local users with MFA configured or remote users authenticating via single sign-on. IBM X-Force ID: 247033.

pub. 2024-03-05
5.3
CVSS
MEDIUM
CVE-2023-50934

IBM PowerSC 1.3, 2.0, and 2.1 uses single-factor authentication which can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. IBM X-Force ID: 275114.

pub. 2024-02-02
5.3
CVSS
MEDIUM
CVE-2023-34228

In JetBrains TeamCity before 2023.05 authentication checks were missing – 2FA was not checked for some sensitive account actions

pub. 2023-05-31
4.3
CVSS
MEDIUM
CVE-2024-50618

A Use of Single-factor Authentication vulnerability in the Authentication component of CIPPlanner CIPAce before 9.17 allows attackers to bypass a protection mechanism. When the system is configured to allow login with internal accounts, an attacker can possibly obtain full authentication if the secret in a single-factor authentication scheme gets compromised.

pub. 2026-02-11
2.0
CVSS
LOW
CVE-2026-33550

SOGo w wersjach przed 5.12.5 nie regeneruje OTP, gdy użytkownik je wyłącza lub włącza, a dodatkowo OTP ma zbyt krótką długość (tylko 12 cyfr zamiast rekomendowanych 20). To może umożliwić atakującemu przywrócenie dostępu do starych kodów jednorazowych.

pub. 2026-03-22
Informacje
ID: CWE-308
Typ: Base
Podatności: 12
MITRE CWE ↗
← Słownik CWE
CWE-308 — Zastosowanie Uwierzytelniania Jednoskładnikowego | Słownik CWE | CVEbaza.pl