Yubico: >> Yubikey One Time Password Validation Server >> 1.1 Security Vulnerabilities
The verify endpoint in YubiKey Validation Server before 2.40 does not check the length of SQL queries, which allows remote attackers to cause a denial of service, aka SQL injection. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service; the issue does NOT affect YubiCloud.
CVSS Score
7.5
EPSS Score
0.006
Published
2020-03-05
The sync endpoint in YubiKey Validation Server before 2.40 allows remote attackers to replay an OTP. NOTE: this issue is potentially relevant to persons outside Yubico who operate a self-hosted OTP validation service with a non-default configuration such as an open sync pool; the issue does NOT affect YubiCloud.
CVSS Score
8.6
EPSS Score
0.006
Published
2020-03-05