EduMFA (< 2.9.1)

eduMFA versions prior to 2.9.1 are vulnerable to token reusage due to incorrect InnoDB snapshot isolation in MySQL and MariaDB versions prior to 11.6.2 (or newer with innodb_snapshot_isolation=off), affecting token types such as TOTP, HOTP, and likely WebAuthN, where tokens are intended for single use, requiring racing the transaction for exploitation.

eduMFA versions prior to 2.9.1 are vulnerable to replay attacks due to a missing expiration flag in userless Passkey/WebAuthn challenges, potentially leading to unauthorized access.