The Syracom Secure Login plugin prior to 3.1.1.0 for Jira may allow spoofing of 2FA PIN validation via the plugins/servlet/twofactor/public/pinvalidation target parameter.
syracom secure login
Vulmon