PT-2023-26210 · Jenkins · Jenkins Assembla Auth Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Assembla Auth Plugin versions 1.14 and earlier Description: A cross-site request forgery CSRF vulnerability allows attackers to trick users into logging in to the attacker's account. This issue arises because the plugin does not...

Authorization

UmbracoIdentityExtensions is an Umbraco add-on package that enables easy extensibility points for ASP.Net Identity integration. In affected versions client secrets are not required which may expose some endpoints to untrusted actors. Since Umbraco is not a single-page application, the implicit fl...

[NetScaler] LDAP password can be changed with an incorrect Radius Passcode

Below is an example of common 2Factor authentication flow: Root factor: Start Login Schema XML = /nsconfig/loginschema/LoginSchema/DualAuth.xml Adv Authn Policy = LDAPPol Rule = true Action = LDAPAct Next Factor if Success = RadiusFactor Login Schema Profile = LSCHEMAINT Adv Authn Policy =...

CVE-2022-20928

A vulnerability in the authentication and authorization flows for VPN connections in Cisco Adaptive Security Appliance ASA Software and Firepower Threat Defense FTD Software could allow an unauthenticated, remote attacker to establish a connection as a different user. This vulnerability is due to...

CVE-2022-23724

Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials...

CVE-2022-23723

An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...

CVE-2022-23723

An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...

Security feature bypass

An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...

CVE-2022-23723 PingFederate PingOneMFA Integration Kit MFA Bypass

An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow...

Ping Identity PingFederate授权问题漏洞

Ping Identity PingFederate is a flagship software-based federation server in the United States. for identity management. Ping Identity PingFederate has a security vulnerability that originates from an MFA bypass vulnerability in the PingOne MFA Integration Toolkit when an adapter HTML template is...

PT-2022-16228 · Ping Identity · Pingfederate Pingone Mfa Integration Kit

Name of the Vulnerable Software and Affected Versions: PingFederate PingOne MFA Integration Kit affected versions not specified Description: An MFA bypass issue exists when adapter HTML templates are used as part of an authentication flow. This allows for potential bypass of multi-factor...

Zenly: Account Takeover via SMS Authentication Flow

Summary: During the authentication flow, an SMS is sent to the user in order to validate the session and proceed to the user account. The way Zenly API handles this flow is by: 1. Calling the /SessionCreate endpoint with the mobile phone number of the user. 2. A session for the user is created an...

CVE-2020-4037

CVE-2020-4037 concerns OAuth2 Proxy where versions 5.1.1 and older (up to 5.9.x) allow a user-supplied redirect URL at the end of the authentication flow. The redirect target is validated by the proxy, but the issue arises from insufficiently restricted redirects, potentially enabling open redire...

The vulnerability of the BruteForceProtector component of the Keycloak identity and access management software allows a hacker to gain unauthorized access to protected information.

The software for managing identities and access control in Keycloak is vulnerable due to errors in configuring the “Conditional OTP Authentication Flow”. Exploiting this vulnerability could allow a malicious actor to gain unauthorized access to protected information...

CVE-2020-1744

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events...

CVE-2020-1744

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events...

PT-2020-2664

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 9.0.1 Description A flaw was found in Keycloak when configuring a Conditional OTP Authentication Flow as a post login flow of an IDP. The failure login events for OTP are not being sent to the brute force protection...

atomic-openshift: reflected XSS in authentication flow

A reflected XSS vulnerability exists in the authentication flow of the OpenShift Container Platform. An attacker could use this flaw to steal authentication data by having users click a malicious link...

Moderate: Red Hat Security Advisory: OpenShift Container Platform 3.11 security update

Red Hat OpenShift Container Platform release 3.11.188 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, whi...

CVE-2016-8609

CVE-2016-8609 affects Keycloak before 2.3.0, where the authentication flow is not implemented correctly. An attacker could craft a phishing URL to hijack a user session, leading to information disclosure and potential further attacks. Public advisories in the connected set reiterate the issue and...