Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-25227

Summary
Assigner-Joomla
Assigner Org ID-6ff30186-7fb7-4ad9-be33-533e7b05e586
Published At-08 Apr, 2025 | 16:24
Updated At-21 Apr, 2025 | 07:16
Rejected At-
Credits

[20250402] - Joomla Core - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Joomla
Assigner Org ID:6ff30186-7fb7-4ad9-be33-533e7b05e586
Published At:08 Apr, 2025 | 16:24
Updated At:21 Apr, 2025 | 07:16
Rejected At:
▼CVE Numbering Authority (CNA)
[20250402] - Joomla Core - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

Affected Products
Vendor
Joomla!Joomla! Project
Product
Joomla! CMS
Default Status
unaffected
Versions
Affected
  • 4.0.0-4.4.12
  • 5.0.0-5.2.5
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287 Improper Authentication
Type: CWE
CWE ID: CWE-287
Description: CWE-287 Improper Authentication
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-115CAPEC-115: Authentication Bypass
CAPEC ID: CAPEC-115
Description: CAPEC-115: Authentication Bypass
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html
vendor-advisory
Hyperlink: https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html
Resource:
vendor-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@joomla.org
Published At:08 Apr, 2025 | 17:15
Updated At:04 Jun, 2025 | 20:49

Insufficient state checks lead to a vector that allows to bypass 2FA checks.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.17.5HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 3.1
Base score: 7.5
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CPE Matches
Joomla!
joomla
>>joomla\!>>Versions from 4.0.0(inclusive) to 4.4.13(exclusive)
cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Joomla!
joomla
>>joomla\!>>Versions from 5.0.0(inclusive) to 5.2.6(exclusive)
cpe:2.3:a:joomla:joomla\!:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-287Secondarysecurity@joomla.org
NVD-CWE-noinfoPrimarynvd@nist.gov
CWE ID: CWE-287
Type: Secondary
Source: security@joomla.org
CWE ID: NVD-CWE-noinfo
Type: Primary
Source: nvd@nist.gov
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.htmlsecurity@joomla.org
Vendor Advisory
Hyperlink: https://developer.joomla.org/security-centre/964-20250402-core-mfa-authentication-bypass.html
Source: security@joomla.org
Resource:
Vendor Advisory

Change History

0
Information is not available yet

Similar CVEs

103Records found
CVE-2021-29047
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.79%
||
7 Day CHG~0.00%
Published-16 May, 2021 | 15:29
Updated-03 Aug, 2024 | 21:55
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The SimpleCaptcha implementation in Liferay Portal 7.3.4, 7.3.5 and Liferay DXP 7.3 before fix pack 1 does not invalidate CAPTCHA answers after it is used, which allows remote attackers to repeatedly perform actions protected by a CAPTCHA challenge by reusing the same CAPTCHA answer.

Action-Not Available
Vendor-n/aLiferay Inc.
Product-dxpliferay_portaln/a
CWE ID-CWE-287
Improper Authentication
CVE-2013-4593
Matching Score-4
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-4
Assigner-Red Hat, Inc.
CVSS Score-7.5||HIGH
EPSS-0.35% / 56.85%
||
7 Day CHG~0.00%
Published-11 Dec, 2019 | 13:45
Updated-06 Aug, 2024 | 16:45
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RubyGem omniauth-facebook has an access token security vulnerability

Action-Not Available
Vendor-omniauth-facebook_projectomniauth-facebook
Product-omniauth-facebookomniauth-facebook
CWE ID-CWE-287
Improper Authentication
CVE-2020-36176
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-7.5||HIGH
EPSS-0.21% / 43.83%
||
7 Day CHG~0.00%
Published-06 Jan, 2021 | 14:47
Updated-04 Aug, 2024 | 17:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

The iThemes Security (formerly Better WP Security) plugin before 7.7.0 for WordPress does not enforce a new-password requirement for an existing account until the second login occurs.

Action-Not Available
Vendor-n/aSolidWP (iThemes)
Product-ithemes_securityn/a
CWE ID-CWE-287
Improper Authentication
  • Previous
  • 1
  • 2
  • 3
  • Next
Details not found