Ubuntu 16.04 ESM / 18.04 ESM : aria2 vulnerability (USN-4869-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-4869-1 advisory. It was discovered that aria2 could accidentally leak authentication data. An attacker could possibly use this to gain access to sensitive information...

How to use rewrite policy to add text message or links under logon button in Gateway logon page

This article describes how to add text message or links to Gateway logon page with RfWebUI based portal theme. The below image is the Gateway logon page for an end user. Links and text message are under Log On button. The solution in this article applies to both basic authentication and AAA...

Oracle Linux 8 : squid:4 (ELSA-2020-4743)

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4743 advisory. - An issue was discovered in Squid before 4.10. It allows a crafted FTP server to trigger disclosure of sensitive information from heap memory, such as...

PTC Kepware KepServerEX (Update A)

1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION : Exploitable remotely/low attack complexity Vendor : PTC Equipment : Kepware KepServerEX Vulnerabilities : Uncontrolled Search Path Element, Improper Input Validation, Insufficiently Protected Credentials 2. RISK EVALUATION Successful exploitation of...

PT-2023-5232 · Kepware · Kepserverex

Name of the Vulnerable Software and Affected Versions: KEPServerEX affected versions not specified Description: The issue is related to insufficient protection of credentials in KEPServerEX, allowing an adversary to capture user credentials due to the web server's use of basic authentication. Thi...

CVE-2023-40585 Unauthenticated access to Ironic API

ironic-image is a container image to run OpenStack Ironic as part of Metal³. Prior to version capm3-v1.4.3, if Ironic is not deployed with TLS and it does not have API and Conductor split into separate services, access to the API is not protected by any authentication. Ironic API is also listenin...

CVE-2023-40171 Dispatch writes JWT tokens in error message

Dispatch is an open source security incident management tool. The server response includes the JWT Secret Key used for signing JWT tokens in error message when the Dispatch Plugin - Basic Authentication Provider plugin encounters an error when attempting to decode a JWT token. Any Dispatch users...

Authentication Bypass

gitlab is vulnerable to Authentication Bypass. The vulnerability allows an attacker to bypass 2FA for LDAP users and access some specific pages with Basic Authentication...

Information Exposure

Overview logstash-core is a scalable log and event management tool. Affected versions of this package are vulnerable to Information Exposure. Elasticsearch Output plugin would log to file HTTP basic auth credentials when updating connections after sniffing. Remediation Upgrade logstash-core to...

Authentication flaw

The number of login attempts is not limited. This could allow an attacker to perform a brute force on HTTP basic authentication...

CVE-2023-33868

CVE-2023-33868 concerns an authentication flaw in PiiGAB M-Bus software (notably the 900S family). The root issue is an unlimited number of login attempts, enabling brute-force against HTTP basic authentication. Public sources (NVD, CVE list, PRION, ics-advisory) consistently describe this vulner...

PT-2023-24522 · Piigab · M-Bus Softwarepack +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: The issue concerns the lack of limitation on the number of login attempts, which could allow an attacker to perform a brute force attack on HTTP basic...

CVE-2023-29168

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication...

CVE-2023-29168

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication...

Design/Logic Flaw

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication...

CVE-2023-29168 PTC Vuforia Studio Insufficiently Protected Credentials

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication...

CVE-2023-29168

CVE-2023-29168 affects PTC Vuforia Studio: the local Vuforia web application does not support HTTPS and federated credentials are passed via basic authentication, exposing credentials. Affected products: Vuforia Studio all versions prior to 9.9. According to the ICS advisory, it is exploitable re...

CVE-2023-29168 PTC Vuforia Studio Insufficiently Protected Credentials

The local Vuforia web application does not support HTTPS, and federated credentials are passed via basic authentication...

Unauthenticated Blind SSRF

Description The Oxeye research team found Owncast vulnerable to an Unauthenticated Blind SSRF vulnerability. This vulnerability may allow an unauthenticated attacker to force the Owncast server to send HTTP requests to arbitrary locations using the GET HTTP method. This vulnerability also allows...

SUSE CVE-2023-32319

Nextcloud server is an open source personal cloud implementation. Missing brute-force protection on the WebDAV endpoints via the basic auth header allowed to brute-force user credentials when the provided user name was not an email address. Users from version 24.0.0 onward are affected. This issu...