Lucene search
K

80 matches found

EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2024-3549

Malicious code in bioql PyPI...

8.9CVSS6.3AI score0.00543EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.2 views

EUVD-2022-53140

Malicious code in bioql PyPI...

6.5CVSS7.9AI score0.00594EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2025/07/11 12:0 a.m.11 views

PT-2025-29266 · Immich · Immich

Name of the Vulnerable Software and Affected Versions: immich versions prior to 1.132.0 Description: immich is a self-hosted photo and video management solution. A flaw exists in the OAuth2 implementation where the state parameter is not validated. This parameter, functioning similarly to a...

7.3CVSS6.3AI score0.00325EPSS
Exploits0References8
RedhatCVE
RedhatCVE
added 2025/05/03 6:6 p.m.14 views

CVE-2025-46345

Auth0 Account Link Extension is an extension aimed to help link accounts easily. Versions 2.3.4 to 2.6.6 do not verify the signature of the provided JWT. This allows the user the ability to supply a forged token and the potential to access user information without proper authorization. This issue...

6.9CVSS6.9AI score0.00317EPSS
Exploits0References1
CNNVD
CNNVD
added 2025/03/16 12:0 a.m.7 views

TYPO3 安全漏洞

TYPO3 is a free and open source content management system framework CMS/CMF from the Swiss TYPO3 Association. A security vulnerability exists in TYPO3 versions prior to 4.0.0 that stems from an account linking logic that allows a pre-hijacking attack, which can lead to an account takeover...

4.2CVSS6.4AI score0.00168EPSS
Exploits0References4
Veracode
Veracode
added 2025/01/31 9:15 a.m.9 views

Account Takeover

causal/oidc is vulnerable to Account Takeover. The vulnerability is due to flaws in the account linking logic, where an attacker can register a public frontend user account with a user's email before the user's first OIDC login, allowing them to hijack the account...

4.2CVSS6.7AI score0.00168EPSS
Exploits0References4Affected Software1
Snyk
Snyk
added 2025/01/28 7:15 p.m.3 views

Authorization Bypass Through User-Controlled Key

Overview Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the account linking logic. An attacker can anticipate and use the email address of a user to register a public frontend user account before the user's first OIDC login, leading to...

4.2CVSS6.9AI score0.00168EPSS
Exploits0References3
NVD
NVD
added 2024/12/20 8:15 p.m.19 views

CVE-2024-56329

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a...

8.9CVSS0.00543EPSS
Exploits0References2
OSV
OSV
added 2024/12/20 7:59 p.m.7 views

CVE-2024-56329 Account Takeover Vulnerability in Social Account Linking in joelbutcher/socialstream

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a...

8.9CVSS6.7AI score0.00543EPSS
Exploits0References4
CVE
CVE
added 2024/12/20 7:59 p.m.65 views

CVE-2024-56329

CVE-2024-56329 affects the Socialstream package for Laravel Jetstream (joelbutcher/socialstream). The vulnerability arises during social account linking to an already authenticated user, where a missing confirmation step allows an account takeover risk. The issue is worsened when the Socialite co...

8.9CVSS6.6AI score0.00543EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2024/12/20 7:59 p.m.8 views

CVE-2024-56329 Account Takeover Vulnerability in Social Account Linking in joelbutcher/socialstream

Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel Socialite. When linking a social account to an already authenticated user, the lack of a...

8.9CVSS6.6AI score0.00543EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2024/12/20 3:1 p.m.35 views

Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

Description When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if -stateless is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure th...

8.9CVSS6.9AI score0.00543EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2024/12/20 3:1 p.m.8 views

GHSA-3Q97-VJPP-C8RP Socialstream has a Potential Account Takeover Vulnerability in Social Account Linking Due to Missing User Consent After OAuth Callback

Description When linking a social account to an already authenticated user, the lack of a confirmation step introduces a security risk. This is exacerbated if -stateless is used in the Socialite configuration, bypassing state verification and making the exploit easier. Developers should ensure th...

8.9CVSS6AI score0.00543EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2024/12/20 12:0 a.m.6 views

PT-2024-36791 · Unknown +1 · Wp Social Stream +1

Name of the Vulnerable Software and Affected Versions: Socialstream versions prior to 6.2 Description: The issue arises when linking a social account to an already authenticated user, as there is a lack of a confirmation step, introducing a security risk. This risk is increased if -stateless is...

8.9CVSS7.1AI score0.00543EPSS
Exploits0References11
Veracode
Veracode
added 2024/06/19 7:3 a.m.13 views

Improper Authentication

github.com/pocketbase/pocketbase is vulnerable to Improper Authentication. The vulnerability is due to unverified account linking because an attacker can create an unverified account with the targeted user's email, and when the user signs up with OAuth2, their account is linked without changing t...

5.4CVSS6.7AI score0.00289EPSS
Exploits0References4Affected Software1
SUSE CVE
SUSE CVE
added 2023/02/15 5:10 a.m.4 views

SUSE CVE-2015-9284

The request phase of the OmniAuth Ruby gem 1.9.1 and earlier is vulnerable to Cross-Site Request Forgery when used as part of the Ruby on Rails framework, allowing accounts to be connected without user intent, user interaction, or feedback to the user. This permits a secondary account to be able ...

8.8CVSS8.6AI score0.01573EPSS
Exploits0References3
OSV
OSV
added 2022/12/22 8:15 p.m.5 views

CVE-2022-31742

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affec...

6.5CVSS8.8AI score
Exploits0References4
Prion
Prion
added 2022/12/22 8:15 p.m.17 views

Cross site scripting

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affec...

4.3CVSS6.9AI score0.00594EPSS
Exploits0References4Affected Software3
Vulnrichment
Vulnrichment
added 2022/12/22 12:0 a.m.6 views

CVE-2022-31742

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affec...

5.9AI score0.00594EPSS
Exploits0References4
Cvelist
Cvelist
added 2022/12/22 12:0 a.m.18 views

CVE-2022-31742

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affec...

7.5AI score0.00594EPSS
Exploits0References4
Rows per page
Query Builder