Closed
Description
There is a logic vulnerability in the verification code of the login interface
Is there an existing issue for this?
- I have searched the existing issues
Can the issue be reproduced with the default theme (daylight/midnight)?
- I was able to reproduce the issue with the default theme
Could the issue be due to extensions?
- I've ruled out the possibility that the extension is causing the problem.
Describe the problem
After the front-end enters the correct verification code, the packet is captured and held, and then the current verification code can be used for unlimited replay attacks (the password can be cracked)
Step 1. Capture the packet
Step 2. Use the same verification code to blast password
Step 3. Find the correct password no need verifying the verification code
Expected result
The current verification code lifecycle ends after each login attempt
Screenshot or screen recording presentation
No response
Version environment
- Version: All Versions
- Operating System: All Systems
- Browser (if used): All Browsers
Log file
No need.
More information
No response
Metadata
Metadata
Assignees
Type
Projects
Relationships
Development
No branches or pull requests
Activity
88250 commentedon Nov 14, 2024
Hi, do you mean the
captch
will not be reset?xzajyjs commentedon Nov 14, 2024
Yes
88250 commentedon Nov 14, 2024
Thanks for the feedback, I have been able to reproduce the issue and will fix it in the next version.
[-]There is a logic vulnerability in the verification code of the login interface[/-][+]Access authorization code vulnerability[/+][-]Access authorization code vulnerability[/-][+]Access authorization code captcha vulnerability[/+]🎨 Access authorization code captcha vulnerability #13147
🎨 Add a 'Remember me' checkbox when logging in to save a session #14964