12 matches found
CVE-2019-12363
An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa=deactivate or usercp.php?action=mybb2fa=activate. A deactivate operation lowers the security ...
EUVD-2019-3998
Malware in sbrugna...
CVE-2023-6506
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...
CVE-2022-28601
A Two-Factor Authentication 2FA bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism...
Design/Logic Flaw
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...
CVE-2023-6506 WP 2FA <= 2.5.0 - Insecure Direct Object Reference to Arbitrary Email Sending
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.5.0 via the sendbackupcodesemail due to missing validation on a user controlled key. This makes it possible for subscriber-level...
CVE-2023-6520 WP 2FA – Two-factor authentication for WordPress <= 2.5.0 - Cross-Site Request Forgery
The WP 2FA – Two-factor authentication for WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.0. This is due to missing or incorrect nonce validation on the sendbackupcodesemail function. This makes it possible for unauthenticated...
CVE-2022-28601
A Two-Factor Authentication 2FA bypass vulnerability in "Simple 2FA Plugin for Moodle" by LMS Doctor allows remote attackers to overwrite the phone number used for confirmation via the profile.php file. Therefore, allowing them to bypass the phone verification mechanism...
CVE-2022-28601
CVE-2022-28601 concerns the Simple 2FA Plugin for Moodle by LMS Doctor. A 2FA bypass exists: remote attackers can overwrite the phone number used for confirmation via profile.php, thus bypassing the phone verification mechanism. The affected component is the Moodle plugin’s 2FA handling; the root...
CVE-2019-12363
An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate or usercp.php?action=mybb2fa&do=activate. A deactivate operation lowers the...
Cross site request forgery (csrf)
An CSRF issue was discovered in the JN-Jones MyBB-2FA plugin through 2014-11-05 for MyBB. An attacker can forge a request to an installed mybb2fa plugin to control its state via usercp.php?action=mybb2fa&do=deactivate or usercp.php?action=mybb2fa&do=activate. A deactivate operation lowers the...
CVE-2018-20231
Cross Site Request Forgery CSRF in the two-factor-authentication plugin before 1.3.13 for WordPress allows remote attackers to disable 2FA via the tfaenabletfa parameter due to missing nonce validation...