miniOrange's Google Authenticator < 5.5.75 - Reflected Cross-Site Scripting

The plugin does not escape some URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting PoC https://example.com/wp-admin/admin.php?page=mo2fatwofa"...

MAL-2022-6791 Malicious code in universal-authenticator-library-js-example (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 634c9abec0578ad529a15e3faab7ef695e47e5a1b95299329e27a8ca7e00e22f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed PoC Put the following payload in the Account Name settings and click on the 'Change App name' button: " autofocus...

miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup Enable 2FA + Website Security and put...

Google Authenticator < 1.0.8 - Admin+ Stored Cross-Site Scripting

The plugin does not escape its settings, allowing high privilege users such as admin to perform Cross-Site Scripting attacks even when the unfilteredhtml is disallowed Put the following payload in the Account Name settings and click on the 'Change App name' button: " autofocus onfocus=alert/XSS//...

miniOrange's Google Authenticator < 5.5.6 - Admin+ Stored Cross-Site Scripting

The plugin does not sanitise and escape some of its settings, leading to malicious users with administrator privileges to store malicious Javascript code leading to Cross-Site Scripting attacks when unfilteredhtml is disallowed for example in multisite setup PoC Enable 2FA + Website Security and...

WordPress miniOrange's Google Authenticator plugin <= 5.5.5 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability

Authenticated Stored Cross-Site Scripting XSS vulnerability discovered by Niraj Mahajan in WordPress miniOrange's Google Authenticator plugin versions = 5.5.5. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.5.6...

miniOrange Google Authenticator < 1.0.5 - CSRF to Stored Cross-Site Scripting

The plugin does not have CSRF check when saving its settings, and does not sanitise as well as escape them, allowing attackers to make a logged in admin change them and perform Cross-Site Scripting attacks v ' / v...

Exploit for Deserialization of Untrusted Data in Atlassian Bitbucket_Data_Center

CVE-2022-26133 Information Description SharedSecre...

Kubernetes: Bypass validation parts in AWS IAM Authenticator for Kubernetes

Multiple bypasses were discovered in AWS IAM Authenticator for Kubernetes. An attacker could craft a token without a signed cluster ID header and use it for replay attacks, manipulate the extracted AccessKeyID to gain higher permissions in the cluster, and send a request to other action values...

This World Password Day consider ditching passwords altogether

Did you know that May 5, 2022, is World Password Day?1 Created by cybersecurity professionals in 2013 and designated as the first Thursday every May, World Password Day is meant to foster good password habits that help keep our online lives secure. It might seem strange to have a day set aside to...

CVE-2021-25266

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile Android before version 9.7.3495...

CVE-2021-25266

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile Android before version 9.7.3495...

Design/Logic Flaw

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile Android before version 9.7.3495...

CVE-2021-25266

The CVE-2021-25266 entry describes an insecure data storage vulnerability in Sophos Authenticator for Android (

CVE-2021-25266

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile Android before version 9.7.3495...

Sophos Authenticator 安全漏洞

Sophos Authenticator is a simple and intuitive application from Sophos UK. It is used to provide multiple authentication on mobile devices. Sophos Authenticator suffers from a security vulnerability that stems from insecure data storage. A physical attacker with root privileges could exploit this...

LAPSUS$ – New extortion group involved in the breach against Nvidia, Microsoft, Okta and Samsung

THREAT LEVEL: Red. For a detailed advisory, download the pdf file here Lapsus$ DEV-0537 is an extortion threat group that first appeared on December 10, 2021, and has since breached the Brazilian Ministry of Health, NVIDIA, Samsung, Vodafone, Ubisoft, Octa, and Microsoft. Unlike other extortionis...

WordPress miniOrange's Google Authenticator plugin cross-site request forgery vulnerability

WordPress is a blogging platform developed by the Wordpress Foundation using the PHP language. WordPress plugin is a WordPress application plugin. WordPress miniOrange's Google Authenticator plugin version 5.5 or earlier is vulnerable to a cross-site request forgery vulnerability that stems from...

CVE-2022-0229

The miniOrange's Google Authenticator WordPress plugin before 5.5 does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog,...