Lucene search
K

80 matches found

CVE
CVE
added 2022/12/22 12:0 a.m.215 views

CVE-2022-31742

CVE-2022-31742 describes a timing-attack flaw in WebAuthn: an attacker could send many allowCredential entries and distinguish valid vs invalid key handles, enabling cross-origin account linking. Affected products in the provided records are Thunderbird < 91.10, Firefox < 101, and Firefox ESR

6.5CVSS7.2AI score0.00594EPSS
Exploits0References4Affected Software3
Cvelist
Cvelist
added 2022/12/22 12:0 a.m.18 views

CVE-2022-31742

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affec...

7.5AI score0.00594EPSS
Exploits0References4
OSV
OSV
added 2022/06/04 8:25 p.m.8 views

MGASA-2022-0220 Updated firefox/nss/nspr packages fix security vulnerability

A malicious website could have learned the size of a cross-origin resource that supported Range requests CVE-2022-31736. A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash CVE-2022-31737. When exiting fullscreen...

9.8CVSS9.1AI score0.01055EPSS
Exploits0References6
Mageia
Mageia
added 2022/06/04 8:25 p.m.44 views

Updated firefox/nss/nspr packages fix security vulnerability

A malicious website could have learned the size of a cross-origin resource that supported Range requests CVE-2022-31736. A malicious webpage could have caused an out-of-bounds write in WebGL, leading to memory corruption and a potentially exploitable crash CVE-2022-31737. When exiting fullscreen...

9.8CVSS0.7AI score0.01055EPSS
Exploits0References5
Mageia
Mageia
added 2022/06/04 8:25 p.m.57 views

Updated thunderbird packages fix security vulnerability

When displaying the sender of an email, and the sender name contained the Braille Pattern Blank space character multiple times, Thunderbird would have displayed all the spaces. This could have been used by an attacker to send an email message with the attacker's digital signature, that was shown...

9.8CVSS0.5AI score0.01055EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2022/06/03 3:39 p.m.3 views

Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue as an attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have...

6.5CVSS7.3AI score0.00594EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2022/06/03 3:28 p.m.3 views

Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue as an attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have...

6.5CVSS7.3AI score0.00594EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2022/06/02 11:51 p.m.6 views

Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue as an attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have...

6.5CVSS7.3AI score0.00594EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2022/06/01 10:21 p.m.6 views

Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue as an attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have...

6.5CVSS7.3AI score0.00594EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2022/06/01 10:1 p.m.5 views

Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue as an attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have...

6.5CVSS7.3AI score0.00594EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 2022/06/01 9:8 p.m.3 views

Mozilla: Querying a WebAuthn token with a large number of allowCredential entries may have leaked cross-origin information

A flaw was found in Mozilla. The Mozilla Foundation Security Advisory describes the issue as an attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have...

6.5CVSS7.3AI score0.00594EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2022/06/01 12:0 a.m.41 views

CVE-2022-31742

An attacker could have exploited a timing attack by sending a large number of allowCredential entries and detecting the difference between invalid key handles and cross-origin key handles. This could have led to cross-origin account linking in violation of WebAuthn goals. This vulnerability affec...

6.5CVSS6.9AI score0.00594EPSS
Exploits0References6
Hacker One
Hacker One
added 2020/11/22 1:40 a.m.19 views

Khan Academy: Password authentication when changing information bypass. Bypass of report #721341

SUMMARY When reading the disclosed reports of your program, i see this one report 721341 . The reporter reported a lack of password confirmation when linking accounts. A fix was applied, adding password confirmation when linking account to other services. But i found a way to bypass this, The...

0.5AI score
Exploits0
OSV
OSV
added 2020/06/19 3:15 p.m.6 views

CVE-2019-20864

An issue was discovered in Mattermost Plugins before 5.13.0. The GitHub plugin allows an attacker to attach his Mattermost account to a different person's GitHub account...

7.5CVSS5.8AI score0.00872EPSS
Exploits0References1
Krebs on Security
Krebs on Security
added 2019/08/05 2:4 p.m.57 views

The Risk of Weak Online Banking Passwords

If you bank online and choose weak or re-used passwords, there's a decent chance your account could be pilfered by cyberthieves -- even if your bank offers multi-factor authentication as part of its login process. This story is about how crooks increasingly are abusing third-party financial...

7.3AI score
Exploits0
CNVD
CNVD
added 2019/08/01 12:0 a.m.3 views

cPanel Input Validation Error Vulnerability (CNVD-2019-26365)

cPanel is a set of Web-based automated colocation platform from the US-based cPanel. The platform is primarily used to automate the management of websites and servers. An input validation error vulnerability exists in versions of cPanel prior to 78.0.2. The vulnerability stems from a web-based...

4.3CVSS6.8AI score0.00633EPSS
Exploits0References1
OSV
OSV
added 2019/07/11 2:23 p.m.21 views

GHSA-8W3J-G983-8JH5 Sensitive Data Exposure in parse-server

Versions of parse-server prior to 3.6.0 could allow an account enumeration attack via account linking. ParseError.ACCOUNTALREADYLINKED208 was thrown BEFORE the AuthController checks the password and throws a ParseError.SESSIONMISSING206 for Insufficient auth. An attacker can guess ids and get...

5.3CVSS5AI score0.01155EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2019/07/11 2:23 p.m.27 views

Sensitive Data Exposure in parse-server

Versions of parse-server prior to 3.6.0 could allow an account enumeration attack via account linking. ParseError.ACCOUNTALREADYLINKED208 was thrown BEFORE the AuthController checks the password and throws a ParseError.SESSIONMISSING206 for Insufficient auth. An attacker can guess ids and get...

5.3CVSS5.3AI score0.01155EPSS
Exploits0References7Affected Software1
Positive Technologies
Positive Technologies
added 2019/04/30 12:0 a.m.8 views

PT-2019-11717 · Jenkins · Jenkins Gitlab Authentication Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins GitHub Authentication Plugin versions 0.31 and earlier Description: The issue concerns the management of the state parameter of OAuth to prevent CSRF. An attacker could catch the redirect URL provided during the authentication process...

8.8CVSS8.8AI score0.02125EPSS
Exploits0References7
Hacker One
Hacker One
added 2019/01/04 7:53 p.m.26 views

Rockstar Games: CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/

In this report, the researcher identified a Cross-Site Request Forgery vulnerability that could have allowed attackers to link a Facebook account to another user's Social Club account, and thus gain the ability to log in as the victim. We implemented an anti-CSRF token as part of the...

2.8AI score
Exploits0
Rows per page
Query Builder