19 matches found
EUVD-2020-0234
Malware in sbrugna...
EUVD-2022-15986
Malicious code in bioql PyPI...
EUVD-2023-27059
Malicious code in bioql PyPI...
CVE-2025-53102
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the stable branch and version 3.5.0.beta.8 on the tests-passed branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared...
CVE-2025-53102
CVE-2025-53102 affects Discourse: prior to 3.4.7 (stable) and 3.5.0.beta.8 (tests-passed), issuing a physical security key for 2FA generates a WebAuthn challenge that is not cleared from the user session after authentication, potentially allowing reuse and increasing security risk. Affected versi...
CVE-2025-53545
The CVE-2025-53545 entry concerns Press, a Frappe custom app used with Frappe Cloud. The underlying issue is a lack of server-side validation that allows bypassing two-factor authentication (2FA) for users. The vulnerability description confirms that this is a 2FA bypass resulting from insufficie...
CVE-2025-49591 CryptPad 2FA Bypass Vulnerability
CryptPad is a collaboration suite. Prior to version 2025.3.0, enforcement of Two-Factor Authentication 2FA in CryptPad can be trivially bypassed, due to weak implementation of access controls. An attacker that compromises a user's credentials can gain access to the victim's account, even if the...
HackerOne: Bypassing HackerOne 2FA due to race condition
A race condition vulnerability was discovered in HackerOne's 2FA reset process. The issue allowed an attacker to initiate multiple parallel 2FA reset requests, resulting in multiple reset notification emails. When a user canceled one reset request, the remaining requests would stay active,...
HackerOne: Reset the 2FA of the user which can lead to Account Takeover
Vulnerability description not provided...
CVE-2023-49949
Passwork before 6.2.0 allows remote authenticated users to bypass 2FA by sending all one million of the possible 6-digit codes...
CVE-2023-28316
A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not invalidated upon activating 2FA. This could potentially allow an attacker to maintain access to a compromised account even after 2FA is enabled...
Gitea Allows 1FA Even for 2FA-Enrolled Accounts
Gitea before 1.8.0 allows 1FA for user accounts that have completed 2FA enrollment. If a user's credentials are known, then an attacker could send them to the API without requiring the 2FA one-time password...
CVE-2022-0910
A downgrade from two-factor authentication to one-factor authentication vulnerability in the CGI program of Zyxel USG/ZyWALL series firmware versions 4.32 through 4.71, USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware versions 4.32 through 5.21, and VPN series firmware...
CVE-2022-0992
The CVE-2022-0992 entry concerns the WordPress SiteGround Security plugin (versions up to 1.2.5). The vulnerability is an authentication bypass caused by missing identity verification during the initial 2FA setup, allowing unauthenticated users to configure 2FA for pending accounts and subsequent...
TikTok reset account password Exploit
Exploit can reset password and get full control any TikTok account. You can change target mobile phone without any problems, because exploit use bypass 2fa vulnerability...
Serious Vulnerabilities in Dualog Connection Suite
TL;DR The flaws found in this maritime comms and connection suite were many, and not insignificant: Directory traversal 2FA challenge/response is performed in a client-side application Default install password SQL injection User data leakage Easily brute forcible password hashes Introduction Duri...
CVE-2020-29136
In cPanel before 90.0.17, 2FA can be bypassed via a brute-force approach SEC-575...
CVE-2020-5240
In wagtail-2fa before 1.4.1, any user with access to the CMS can view and delete other users 2FA devices by going to the correct path. The user does not require special permissions in order to do so. By deleting the other users device they can disable the target users 2FA devices and potentially...
CVE-2019-7218
Citrix ShareFile vulnerable to a downgrade of authentication from two-factor to one-factor for versions before 19.23. An attacker who has access to the victim’s OTP token or authenticator app could bypass the username/password step and log in with username/OTP only. The issue affects the 2FA logi...