[Box] Bypassing Time-based One-Time Password (TOTP)

We discussed this vulnerability during Episode 105 on 06 December 2021

A partially authentication user could remove MFA from their account. During the login process when enrolled in the MFA program, a user who logged in with the correct credentials, but had not yet provided the MFA token could access the /mfa/unenrollment endpoint and remove MFA from the account.