CVE-2019-0234

Summary: CVE-2019-0234 is a reflected XSS in Apache Roller caused by Roller's Math Comment Authenticator not properly sanitizing input. Affected versions include Roller 5.2.1–5.2.2 (and related 5.2.x builds) prior to 5.2.3. Impact: attacker-controlled input could trigger reflected XSS. Mitigation...

CVE-2019-12995

Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwtauthenticator.cc segmentation fault...

CVE-2019-12995

Istio before 1.2.2 mishandles certain access tokens, leading to "Epoch 0 terminated with an error" in Envoy. This is related to a jwtauthenticator.cc segmentation fault...

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself CDP or through the separately configured path. The CRL are often availab...

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself CDP or through the separately configured path. The CRL are often availab...

CVE-2019-3875

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself CDP or through the separately configured path. The CRL are often availab...

Advancing Windows 10 as a passwordless platform

Passwords can be frustrating, difficult to remember, and easily hacked or stolen. That’s why our vision for Windows is one of a passwordless platform—a world where users don’t have to deal with the pains of a password. With the release of Windows 10, version 1903, we’re bringing Windows 10 closer...

Authentication flaw

Citrix ShareFile before 19.23 allows a downgrade from two-factor authentication to one-factor authentication. An attacker with access to the offline victim's otp physical token or virtual app like google authenticator is able to bypass the first authentication phase username/password mechanism an...

A Go implementation of Poly1305 that makes sense

Poly1305 is a Message Authentication Code--a cryptographic primitive for authenticating a message with a shared secret key, like HMAC. Although its really a fraction of the complexity of e.g. elliptic curves, most of the implementations Ive read look decidedly like magic, mysteriously multiplying...

Delivering security innovation that puts Microsoft’s experience to work for you

Cybersecurity is the central challenge of our digital age. Without it, everything from our personal email accounts and privacy to the way we do business, and all types of critical infrastructure, are under threat. As attackers evolve, staying ahead of these threats is getting harder. Microsoft ca...

[SECURITY] Fedora 27 Update: wpa_supplicant-2.6-14.fc27

wpasupplicant is a WPA Supplicant for Linux, BSD and Windows with support for WPA and WPA2 IEEE 802.11i / RSN. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11...

Exim SMTP listener base64d function one-character buffer overflow

Added: 05/16/2018 CVE: CVE-2018-6789 BID: 103049 Background Exim is a mail transfer agent used on Unix-like operating systems. Problem Exim 5.90 and earlier are vulnerable to a one-character buffer overflow in the base64d function in the SMTP listener. Resolution Upgrade to Exim 4.90.1 or higher,...

How To Deploy NetScaler as Both OAuth SP and IdP

Deploying the NetScaler, as both an OAuth Service Provider SP and IdP Identity Provider or OpenID Authenticator. This can be on the same NetScaler, or on two separate appliances...

Building a world without passwords

Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that weve been busy at work trying to create a world without them a world without passwords. In this blog, we will provide a brief insight into how we at Microsoft think about solving this...

Use of Microsoft Authenticator App to as 2-factor authentication for O365 access using XenMobile

Question - Can we use the Microsoft Authenticator app as a means of 2-factor authentication to secure access to XenMobile integrated O365 environment? Answer - Currently use of Microsoft Authenticator as a means to provide 2-factor authentication is only possible for O365 apps. The security featu...

Two-Factor Authentication: What is it and why do I need it to stay safe online?

Today, Americans are living more and more of their lives on the internet. We shop, bank, socialize, work and play online. But as our digital lives become increasingly important, they are also exposed to greater risks. Hackers are lurking around every corner ready to steal our identities, drain ou...

Ian Dunn: Timing Attack in Google Authenticator - Per User Prompt

Google Authenticator - Per User Prompt contains a timing attack vulnerability in how it validates the application password for a user account. if sha1 $attemptedpasswordplaintext === $validpasswordhash || wpcheckpassword $attemptedpasswordplaintext, $validpasswordhash...

The vulnerability of the gpkcsp.dll authenticator service on the Windows operating system allows a perpetrator to execute arbitrary code.

The vulnerability of the Windows operating system’s smart card authentication service gpkcsp.dll arises due to buffer overflow. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by connecting to a remote desktop...

Microsoft Touts New Phone-Based Login Mechanism

It likely won’t mark the death knell of passwords but Microsoft announced this week its giving users a new way to sign into their accounts without having to enter a lengthy combination of numbers, letters and characters. The feature, which relies on users having access to their mobile phones, is...

Microsoft Authenticator - Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Microsoft Authenticator published at the 'play' market has multiple vulnerabilities...