16 matches found
CVE-2026-40997
Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...
UBUNTU-CVE-2026-40997
Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...
CVE-2026-40997 SOAP security faults leak Spring Security account state
Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...
EUVD-2026-36207
Several Spring WS integration paths with Spring Security could surface detailed account state for example locked or disabled user semantics to remote SOAP clients through exception messages or callback outcomes, instead of failing with generic authentication errors. That behavior assists remote...
CVE-2026-40997
The CVE-2026-40997 issue affects Spring Web Services: versions 5.0.0–5.0.1, 4.1.0–4.1.3, 4.0.0–4.0.18, and 3.1.0–3.1.8. The vulnerability arises when several Spring WS integration paths with Spring Security reveal detailed account state (e.g., locked or disabled user semantics) to remote SOAP cli...
PT-2026-48620
Name of the Vulnerable Software and Affected Versions Spring Web Services versions 5.0.0 through 5.0.1 Spring Web Services versions 4.1.0 through 4.1.3 Spring Web Services versions 4.0.0 through 4.0.18 Spring Web Services versions 3.1.0 through 3.1.8 Description Integration paths between Spring W...
Information Exposure
Overview Affected versions of this package are vulnerable to Information Exposure due to the Spring Security integration paths in SpringSecurityUtils.checkUserValidity, SpringSecurityPasswordValidationCallbackHandler, and X509AuthenticationProvider, which surface account status exceptions such as...
CVE-2026-33373
An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...
CVE-2026-33373
An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...
CVE-2026-33373
An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...
CVE-2026-33373
CVE-2026-33373 affects Zimbra Collaboration (ZCS) 10.0 and 10.1. The vulnerability is a Cross-Site Request Forgery (CSRF) in the Zimbra Web Client where authentication tokens issued during certain account state transitions (e.g., enabling 2FA or changing a password) may lack CSRF protection, allo...
PT-2026-29034
An issue was discovered in Zimbra Collaboration ZCS 10.0 and 10.1. A Cross-Site Request Forgery CSRF vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after...
CVE-2025-34298
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent...
CVE-2025-34298
Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation vulnerability in the account email-change workflow. A user could set their own email to an invalid value and, due to insufficient validation and authorization checks tied to email identity state, trigger inconsistent...
CVE-2025-34298
Nagios Log Server (prior to 2024R1.3.2) contains a privilege escalation in the account email-change workflow. An attacker could set their own email to an invalid value, and due to insufficient validation and authorization checks tied to email identity state, trigger an inconsistent account state ...
PT-2025-44525
Name of the Vulnerable Software and Affected Versions Nagios Log Server versions prior to 2024R1.3.2 Description Nagios Log Server versions prior to 2024R1.3.2 contain a privilege escalation issue in the account email-change workflow. A user can set their email to an invalid value, and due to...