Snipe-IT 2FA Endpoint Lacks Rate Limiting and Allows Bypass

POST /two-factor endpoint has no rate limiting, lockout, or attempt counter, enabling unlimited TOTP guesses. TOTP window=1 accepts 3 codes per million. After a correct guess, attacker gets authenticated session; if 2FA is optional (two_factor_enabled='1'), attacker can disable 2FA via POST /account/profile without OTP re-verification. For admin targets, POST /api/v1/users/two_factor_reset clears another user's 2FA secret.

All Snipe-IT instances with 2FA enabled (optional or required mode) prior to v8.6.0.

Upgrade to v8.6.0 or later to apply the patch.