PT-2022-13048 · Miniorange · Google Authenticator Wordpress Plugin

Name of the Vulnerable Software and Affected Versions: miniOrange's Google Authenticator WordPress plugin versions prior to 5.5 Description: The issue arises from the lack of proper authorization and CSRF checks when handling the reconfigureMethod, and improper validation of parameters passed to...

Escobar is the new Android banking Trojan we’ve met before

Aberebot, a known Android banking Trojan, has changed its name and returned loaded with new features. First spotted by @MalwareHunterTeam in early March, this mobile variant was renamed "Escobar"—a homage to the Colombian drug baron—and disguised itself as a McAfee app. It went by the package nam...

WordPress miniOrange's Google Authenticator plugin <= 5.4.52 - Unauthenticated Arbitrary Options Deletion vulnerability

Unauthenticated Arbitrary Options Deletion vulnerability discovered by Krzysztof Zając in WordPress miniOrange's Google Authenticator plugin versions = 5.4.52. Solution Update the WordPress miniOrange's Google Authenticator plugin to the latest available version at least 5.5...

miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion

The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in...

miniOrange's Google Authenticator < 5.5 - Unauthenticated Arbitrary Options Deletion

The plugin does not have proper authorisation and CSRF checks when handling the reconfigureMethod, and does not validate the parameters passed to it properly. As a result, unauthenticated users could delete arbitrary options from the blog, making it unusable. Note: The initial issue was fixed in...

PT-2022-2556 · Atlassian · Bitbucket

Name of the Vulnerable Software and Affected Versions: Atlassian Bitbucket Data Center versions 5.14.0 through 7.6.13 Atlassian Bitbucket Data Center versions 7.7.0 through 7.17.5 Atlassian Bitbucket Data Center versions 7.18.0 through 7.18.3 Atlassian Bitbucket Data Center versions 7.19.0 throug...

GHSA-45W3-V3G4-54PM Chrono has potential segfault issue in SPIFFE authenticator

Impact Several vulnerabilities have been reported in the time and chrono crates related to handling of calls to localtimer. You can follow some of the discussions here and here, and the associated CVE here. In our case, the issue with the dependency was flagged by our nightly CI build running...

Chrono has potential segfault issue in SPIFFE authenticator

Impact Several vulnerabilities have been reported in the time and chrono crates related to handling of calls to localtimer. You can follow some of the discussions here and here, and the associated CVE here. In our case, the issue with the dependency was flagged by our nightly CI build running...

CVE-2021-43068

A improper authentication in Fortinet FortiAuthenticator version 6.4.0 allows user to bypass the second factor of authentication via a RADIUS login portal...

CVE-2021-43067

A exposure of sensitive information to an unauthorized actor in Fortinet FortiAuthenticator version 6.4.0, version 6.3.2 and below, version 6.2.1 and below, version 6.1.2 and below, version 6.0.7 to 6.0.1 allows attacker to duplicate a target LDAP user 2 factors authentication token via crafted...

4 Android Banking Trojan Campaigns Targeted Over 300,000 Devices in 2021

Four different Android banking trojans were spread via the official Google Play Store between August and November 2021, resulting in more than 300,000 infections through various dropper apps that posed as seemingly harmless utility apps to take full control of the infected devices. Designed to...

matrix-server-isenguard (=0.1.1), matrix-temp-mail-checker (>=0.1.2 <=0.1.5) +6 more potentially affected by CVE-2021-41281 via matrix-synapse (>=0.33.9 <=1.152.1)

matrix-synapse PYPI version =0.33.9, =0.1.2, =0.100.2, =0.1.0, =0.1.0, =0.8.0, =0.8.4 Source cves: CVE-2021-41281 Source advisory: OSV:PYSEC-2021-436...

CVE-2021-41194

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if createusers=True and t...

PYSEC-2021-384

FirstUseAuthenticator is a JupyterHub authenticator that helps new users set their password on their first login to JupyterHub. When JupyterHub is used with FirstUseAuthenticator, a vulnerability in versions prior to 1.0.0 allows unauthorized access to any user's account if createusers=True and t...

How to Switch From Google Authenticator to Another 2FA App

Yes, you can choose another two-factor authentication app without getting locked out of your accounts...

@questwork/authenticator (>=0.1.0 <=0.1.5), @questwork/qw-service-tools (>=0.0.8 <=0.1.4) +22 more potentially affected by CVE-2021-23561 via comb (>=0.0.6 <=2.0.0)

comb NPM version =0.0.6, =0.1.0, =0.0.8, =0.0.1, =1.0.3, =0.0.1, =0.1.0, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.1, =0.0.2 and more Source cves: CVE-2021-23561 Source advisory: SNYK:JS-COMB-1730083...

3 key resources to accelerate your passwordless journey

Every organization today faces password-related challenges—phishing campaigns, productivity loss, and password management costs to name just a few. The risks now outweigh the benefits when it comes to passwords. Even the strongest passwords are easily phish-able and vulnerable to attacks, such as...

3 key resources to accelerate your passwordless journey

Every organization today faces password-related challenges—phishing campaigns, productivity loss, and password management costs to name just a few. The risks now outweigh the benefits when it comes to passwords. Even the strongest passwords are easily phish-able and vulnerable to attacks, such as...

Improper Access Control in Webauthn Framework

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...

GHSA-6WHF-Q6P5-84WG Improper Access Control in Webauthn Framework

Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...