Hi there. I realized a quick issue earlier today. If I login to my admin account where a custom theme is set, the CSS for that theme will load at the time the 2FA Prompt loads. If I enter an invalid code, my session is reset and I have to retype my username and password, then retry 2FA. However the difference is the login screen now shows my custom admin theme as it was never switched back to default. Was this intentional or is it a bug?
I would say a bug. I feel it is a security issue since it shouldn't choose a custom theme until a user is confirmed.
I would definitely say it's a bug.
Hi,
Thank you for your report. We have pushed this issue to our Github repository for further analysis where you can track our commits and progress with fixing this bug. Discussions regarding this bug may also take place there too.
Follow this link to visit the issue on Github:
https://github.com/mybb/mybb/issues/2700
Thanks for contributing to MyBB!
Regards,
The MyBB Group