816 matches found
CVE-2021-38299
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...
Design/Logic Flaw
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...
CVE-2021-38299
Webauthn Framework 3.3.x before 3.3.4 has Incorrect Access Control. An attacker that controls a user's system is able to login to a vulnerable service using an attached FIDO2 authenticator without passing a check of the user presence...
Webauthn-Framework 授权问题漏洞
Webauthn-Framework is an authentication mechanism. It is used by Web applications to create and use strong, proven, scoped, public-key based credentials for strong authentication of users. Webauthn-Framework suffers from a security vulnerability that allows an attacker in control of a user's syst...
Microsoft makes a bold move towards a password-less future
In a recent blog Microsoft announced that as of September 15, 2021 you can completely remove the password from your Microsoft account and use the Microsoft Authenticator app, Windows Hello, a security key, or a verification code sent to your phone or email to sign in to Microsoft apps and service...
You Can Now Sign-in to Your Microsoft Accounts Without a Password
Microsoft on Wednesday announced a new passwordless mechanism that allows users to access their accounts without a password by using Microsoft Authenticator, Windows Hello, a security key, or a verification code sent via SMS or email. The change is expected to be rolled out in the coming weeks...
The passwordless future is here for your Microsoft account
Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games. We are expected to create complex and unique passwords,...
The passwordless future is here for your Microsoft account
Nobody likes passwords. They’re inconvenient. They’re a prime target for attacks. Yet for years they’ve been the most important layer of security for everything in our digital lives—from email to bank accounts, shopping carts to video games. We are expected to create complex and unique passwords,...
matrix-server-isenguard (=0.1.1), matrix-temp-mail-checker (>=0.1.2 <=0.1.5) +6 more potentially affected by CVE-2021-39164 via matrix-synapse (>=0.33.9 <=1.152.1)
matrix-synapse PYPI version =0.33.9, =0.1.2, =0.100.2, =0.1.0, =0.1.0, =0.8.0, =0.8.4 Source cves: CVE-2021-39164 Source advisory: OSV:GHSA-3X4C-PQ33-4W3Q...
miniOrange's Google Authenticator < 5.4.40 - Reflected Cross-Site Scripting
The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue https://example.com/wp-admin/users.php?page=reset&action=resetedit&user="alert/XSS/...
miniOrange's Google Authenticator < 5.4.40 - Reflected Cross-Site Scripting
The plugin does not escape the user parameter before outputting it back in an attribute in the dashboard page to confirm the 2FA reset, leading to a Reflected Cross-Site Scripting issue PoC https://example.com/wp-admin/users.php?page=reset=resetedit="...
GHSA-Q39C-5VH5-VW2P Improper Authentication in Apereo CAS
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...
Improper Authentication in Apereo CAS
Apereo CAS 5.3.x before 5.3.16, 6.x before 6.1.7.2, 6.2.x before 6.2.4, and 6.3.x before 6.3.0-RC4 mishandles secret keys with Google Authenticator for multifactor authentication...
Fortinet FortiMail 安全特征问题漏洞
Fortinet FortiMail is a set of e-mail security gateway products of the U.S. Fita Fortinet. The product provides email security and data protection features. A security signature vulnerability exists in Fortinet FortiMail, which stems from the use of a weak pseudo-random number generator in the...
SMS authentication code includes ad: a very bad idea
SMS authentication codes are back in the news, and the word Id use to summarise their reappearance is "embattled." I can still remember a time where two-factor authentication 2FA, authentication grids, regional lockouts, Yubikeys, and offline authentication apps simply did not exist. And if they...
New API Lets App Developers Authenticate Users via SIM Cards
Online account creation poses a challenge for engineers and system architects: if you put up too many barriers, you risk turning away genuine users. Make it too easy, and you risk fraud or fake accounts. The Problem with Identity Verification The traditional model of online identity –...
Using Fake Reviews to Find Dangerous Extensions
Fake, positive reviews have infiltrated nearly every corner of life online these days, confusing consumers while offering an unwelcome advantage to fraudsters and sub-par products everywhere. Happily, identifying and tracking these fake reviewer accounts is often the easiest way to spot scams...
Prevent user enumeration using Guard or the new Authenticator-based Security
Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an...
GHSA-5PV8-PPVJ-4H68 Prevent user enumeration using Guard or the new Authenticator-based Security
Description ----------- The ability to enumerate users was possible without relevant permissions due to different exception messages depending on whether the user existed or not. It was also possible to enumerate users by using a timing attack, by comparing time elapsed when authenticating an...
CVE-2021-21424 Prevent user enumeration using Guard or the new Authenticator-based Security
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. The ability to enumerate users was possible without relevant permissions due to different handling depending on whether the user existed or not when attempting to use the switch users functionality. ...