938 matches found
HackerOne: Bypassing HackerOne 2FA due to race condition
A race condition vulnerability was discovered in HackerOne's 2FA reset process. The issue allowed an attacker to initiate multiple parallel 2FA reset requests, resulting in multiple reset notification emails. When a user canceled one reset request, the remaining requests would stay active,...
Twilio's Authy App Attack Exposes Millions of Phone Numbers
Cloud communications provider Twilio has revealed that unidentified threat actors took advantage of an unauthenticated endpoint in Authy to identify data associated with Authy accounts, including users' cell phone numbers. The company said it took steps to secure the endpoint to no longer accept...
[SECURITY] Fedora 39 Update: freeipa-4.12.1-1.fc39
IPA is an integrated solution to provide centrally managed Identity users, hosts, services, Authentication SSO, 2FA, and Authorization host access control, SELinux user roles, services. The solution provides features for further integration with Linux based clients SUDO, automount and integration...
CVE-2024-38523 Hush Line OTP issue
Hush Line is a free and open-source, anonymous-tip-line-as-a-service for organizations or individuals. The TOTP authentication flow has multiple issues that weakens its one-time nature. Specifically, the lack of 2FA for changing security settings allows attacker with CSRF or XSS primitives to...
HackerOne: Hackers can Invite Collaborators Without 2FA on Programs Requiring 2FA
Vulnerability description not provided...
CVE-2024-4846
Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab...
CVE-2024-4846
Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab...
CVE-2024-4846
Authentication bypass in the 2FA feature in Devolutions Server 2024.1.14.0 and earlier allows an authenticated attacker to authenticate to another user without being asked for the 2FA via another browser tab...
CVE-2024-4846
CVE-2024-4846 describes an authentication bypass in the 2FA feature of Devolutions Server, affected versions 2024.1.14.0 and earlier. An authenticated attacker can sign in as another user without being prompted for 2FA via another browser tab. The available connected documents confirm the vulnera...
HackerOne: Business Logic error leads to bypass 2FA requirement
Vulnerability description not provided...
A week in security (June 17 – June 23)
Last week on Malwarebytes Labs: Microsoft Recall delayed after privacy and security concerns Almost everything you always wanted to know about cybersecurity, but were too afraid to ask, with Tjitske de Vries: Lock and Code S05E13 43% of couples experience pressure to share logins and locations,...
HackerOne: Reports submitted by a non 2fa setupped user account can be transferred to a 2fa require submission program
Vulnerability description not provided...
CVE-2022-44587
Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3...
First million breached Ticketmaster records released for free
The cybercriminal acting under the name "Sp1d3r" gave away the first 1 million records that are part of the data set that they claimed to have stolen from Ticketmaster/Live Nation. The files were released without a price, for free. When Malwarebytes Labs first learned about this data breach, it...
CVE-2022-44587 WordPress WP 2FA plugin <= 2.6.3 - Sensitive Data Exposure via Log File vulnerability
Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3...
CVE-2022-44587
Technical details about CVE-2022-44587 (WP 2FA) are not provided in the connected documents. Monitor for updates from vendors/security advisories; current entries indicate log-file exposure but lack specifics on affected versions, fixes, or exploitation.
CVE-2022-44587 WordPress WP 2FA plugin <= 2.6.3 - Sensitive Data Exposure via Log File vulnerability
Insertion of Sensitive Information into Log File vulnerability in WP 2FA allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WP 2FA: from n/a through 2.6.3...
2FA Sniffing
pterodactyl/panel is vulnerable to a 2FA sniffing. The vulnerability is due to a logical error that delays password verification until after 2FA credentials are entered, allowing malicious users to determine account existence with incorrect passwords...
WordPress WP 2FA Plugin <= 2.6.3 is vulnerable to Sensitive Data Exposure
Software WP 2FA Type Plugin Vulnerable versions = 2.6.3 Fixed in 2.6.4 OWASP Top 10 A3: Sensitive Data Exposure Classification Sensitive Data Exposure CVE CVE-2022-44587 Patch priority Low CVSS severity Low 5.3 Developer Melapress PSID b28422640e7b Credits Snicco Required privilege Unauthenticate...
CVE-2024-37313
Nextcloud server is a self hosted personal cloud system. Under some circumstance it was possible to bypass the second factor of 2FA after successfully providing the user credentials. It is recommended that the Nextcloud Server is upgraded to 26.0.13, 27.1.8 or 28.0.4 and Nextcloud Enterprise Serv...