cvedb.io
CVE-2015-7225
MEDIUM · CVSS 5.3
EPSS exploitation probability: 0%
Published 2017-09-06T21:29:00.957 · Last modified 2026-06-17T00:32:05.073

Summary

Tinfoil Devise-two-factor before 2.0.0 does not strictly follow section 5.2 of RFC 6238 and does not "burn" a successfully validated one-time password (aka OTP), which allows remote or physically proximate attackers with a target user's login credentials to log in as said user by obtaining the OTP through performing a man-in-the-middle attack between the provider and verifier, or shoulder surfing, and replaying the OTP in the current time-step.

Affected products

tinfoilsecurity — devise-two-factor

Does this affect you?

Add your gear to cvedb and we'll alert you only when tinfoilsecurity ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.