Lucene search
K

144 matches found

OSV
OSV
added 2023/12/12 12:58 a.m.9 views

GHSA-26HR-Q2WP-RVC5 User with permission to write actions can impersonate another user when auth token is configured in environment variable

Impact When lakeFS is configured with ALL of the following: - Configuration option auth.encrypt.secretkey passed through environment variable - Actions enabled via configuration option actions.enabled default enabled then a user who can configure an action can impersonate any other user. Patches...

6.2CVSS7AI score
Exploits0References2
OSV
OSV
added 2023/09/27 3:19 p.m.4 views

CVE-2023-41904

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass for AuthToken generation in REST APIs...

5.4CVSS5.8AI score0.01988EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2023/09/27 3:19 p.m.3 views

CVE-2023-41904

Zoho ManageEngine ADManager Plus before 7203 allows 2FA bypass for AuthToken generation in REST APIs...

5.4CVSS5.8AI score0.01988EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2023/09/15 12:0 a.m.5 views

PT-2023-16542 · Red Hat +1 · Openshift Console +1

Name of the Vulnerable Software and Affected Versions: OpenShift console affected versions not specified Description: A flaw was found in the Network Observability plugin for OpenShift console. Unless the Loki authToken configuration is set to FORWARD mode, authentication is no longer enforced,...

7.5CVSS7AI score0.00854EPSS
Exploits0References9
vulnersOsv
vulnersOsv
added 2023/07/03 3:30 p.m.3 views

aldryn-django (>=4.2.10.0 <=4.2.18.0), alertwise (=1.0.0) +114 more potentially affected by CVE-2023-36053 via django (>=4.2.0 <=4.2.29)

django PYPI version =4.2.0, =4.2.10.0, =65.10.0, =7.5.1, =1.0.2, =0.0.1, =1.3.9, =0.4.0, =0.0.1, =4.16.2, =4.8.0, =0.0.4.dev0, =8.0.0, =8.5.1 and more Source cves: CVE-2023-36053 Source advisory: OSV:GHSA-JH3W-4VVF-MJGR...

7.5CVSS7AI score0.02978EPSS
Exploits0
OSV
OSV
added 2023/07/03 3:15 p.m.7 views

CVE-2023-26258

Arcserve UDP through 9.0.6034 allows authentication bypass. The method getVersionInfo at WebServiceImpl/services/FlashServiceImpl leaks the AuthUUID token. This token can be used at /WebServiceImpl/services/VirtualStandbyServiceImpl to obtain a valid session. This session can be used to execute a...

9.8CVSS5.9AI score0.37715EPSS
Exploits2References3
NVD
NVD
added 2023/06/15 9:15 p.m.21 views

CVE-2023-24030

An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0 and 8.8.15. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a us...

6.1CVSS6.1AI score0.00393EPSS
Exploits0References2
Huntr
Huntr
added 2023/05/30 9:10 a.m.16 views

missing permission check for API /setting/workspace/member/update

Proof of Concept 1 user1 是workspace1的空间管理员 2 user2 是workspace1的成员 3 user1 更新user2的信息,比如将其更新为空间管理员 4 使用burpsuite拦截请求 POST /setting/workspace/member/update HTTP/1.1 Host: 192.168.213.128:8081 Content-Length: 144 Accept-Language: zh-CN WORKSPACE: bd6fc04b-15af-43dc-8cb6-411deaec81a7 User-Agent:...

6.5CVSS7AI score0.00711EPSS
Exploits1
OSV
OSV
added 2023/04/26 2:15 p.m.4 views

UBUNTU-CVE-2023-1387

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the "urllogin" configuration option disabled by default, a...

7.5CVSS7.2AI score0.01504EPSS
Exploits1References4
Grafana
Grafana
added 2023/04/26 12:0 a.m.11 views

JWT URL-login flow leaks token to data sources through request parameter in proxy requests

Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana introduced the ability to search for a JWT in the URL query parameter authtoken and use it as the authentication token. By enabling the “urllogin” configuration option disabled by default, a...

7.5CVSS7.1AI score0.01504EPSS
Exploits1
Positive Technologies
Positive Technologies
added 2022/12/15 12:0 a.m.5 views

PT-2022-26184 · Unknown · Bigbluebutton

Name of the Vulnerable Software and Affected Versions: BigBlueButton versions prior to 2.4.3 Description: The issue is related to Insufficient Verification of Data Authenticity, resulting in Denial of Service. An attacker can make a Meteor call to validateAuthToken using a victim's userId,...

4.3CVSS4.4AI score0.00361EPSS
Exploits0References8
NVD
NVD
added 2022/05/26 4:15 p.m.13 views

CVE-2022-24414

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attac...

7.6CVSS0.00591EPSS
Exploits0References1
Prion
Prion
added 2022/05/26 4:15 p.m.13 views

Design/Logic Flaw

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attac...

4CVSS6.5AI score0.00591EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2022/05/26 3:20 p.m.19 views

CVE-2022-24414

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attac...

7.6CVSS7.6AI score0.00591EPSS
Exploits0References1
CVE
CVE
added 2022/05/26 3:20 p.m.62 views

CVE-2022-24414

CVE-2022-24414 affects Dell EMC CloudLink 7.1.3 and earlier. The authentication token is exposed in GET request parameters, which can be logged by reverse proxies and servers, potentially allowing attackers to access the CloudLink server. The underlying issue is insecure token usage in URLs. Expe...

7.6CVSS6.4AI score0.00591EPSS
Exploits0References1Affected Software1
Positive Technologies
Positive Technologies
added 2022/05/11 12:0 a.m.4 views

PT-2022-13879 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions 12.6 through 14.8.5 GitLab versions 14.9 through 14.9.3 GitLab versions 14.10 through 14.10.0 Description: An issue has been discovered in GitLab where the platform was not correctly authenticating a user who had a certain...

4.3CVSS4AI score0.00866EPSS
Exploits0References9
GithubExploit
GithubExploit
added 2022/05/09 11:46 a.m.399 views

Exploit for Missing Authentication for Critical Function in F5 Big-Ip_Access_Policy_Manager

CVE-2022-1388 POC for CVE-2022-1388 affecting multiple F5 prod...

9.8CVSS10AI score0.99956EPSS
Exploits63
ATTACKERKB
ATTACKERKB
added 2022/03/16 12:0 a.m.7 views

CVE-2022-24414

Dell EMC CloudLink 7.1.3 and all earlier versions, Auth Token is exposed in GET requests. These request parameters can get logged in reverse proxies and server logs. Attackers may potentially use these tokens to access CloudLink server. Tokens should not be used in request URL to avoid such attac...

7.6CVSS6.6AI score0.00591EPSS
Exploits0References2
IBM Security Bulletins
IBM Security Bulletins
added 2021/07/23 2:37 p.m.22 views

Security Bulletin: IBM i2 Analyze and i2 Analyst's Notebook Premium has session handling vulnerability (CVE-2021-20431)

Summary i2 Analyze is subject to an auth token expiration vulnerability. Vulnerability Details CVEID: CVE-2021-20431 DESCRIPTION: IBM i2 Analyst's Notebook Premium does not invalidate session after logout which could allow an an attacker to obtain sensitive information from the system. CVSS Base...

6.5CVSS1AI score0.00935EPSS
Exploits0Affected Software1
OSV
OSV
added 2021/07/02 7:15 p.m.21 views

CVE-2021-34807

An open redirect vulnerability exists in the /preauth Servlet in Zimbra Collaboration Suite through 9.0. To exploit the vulnerability, an attacker would need to have obtained a valid zimbra auth token or a valid preauth token. Once the token is obtained, an attacker could redirect a user to any U...

6.1CVSS6.6AI score
Exploits0References4
Rows per page
Query Builder