Lucene search
+L

136 matches found

OSV
OSV
added 2022/05/09 2:10 p.m.13 views

CVE-2022-1631 Users Account Pre-Takeover or Users Account Takeover. in microweber/microweber

Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain...

6.8CVSS7AI score0.08958EPSS
Exploits4References5
Positive Technologies
Positive Technologies
added 2022/05/09 12:0 a.m.5 views

PT-2022-14015 · Google +1 · G-Suite +1

Name of the Vulnerable Software and Affected Versions: microweber/microweber versions prior to 1.2.15 Description: The issue allows an attacker to create an account in the application using a victim's email, as there is no email confirmation. This enables the attacker to gain pre-authentication t...

8.8CVSS6.8AI score0.08958EPSS
Exploits4References11
Hacker One
Hacker One
added 2021/12/24 10:57 a.m.13 views

Acronis: Missing brute force protection on login page on www.acronis.com

A missing brute force protection vulnerability was discovered on the login page of www.acronis.com. This allowed attackers to launch brute force attacks on user accounts, potentially leading to unauthorized access...

7AI score
Exploits0
Veracode
Veracode
added 2021/12/06 3:44 a.m.26 views

Cross-site Request Forgery (CSRF)

ssddanbrown/bookstack is vulnerable to cross-site request forgery attacks. The library does not properly validate the user login flow after the email confirmation, allowing an attacker to duplicate the username and gain access to the account when user click the confirmation link...

6.8CVSS3.5AI score0.00621EPSS
Exploits1References5Affected Software1
Huntr
Huntr
added 2021/11/10 9:2 a.m.31 views

Cross-Site Request Forgery (CSRF) in bookstackapp/bookstack

Description Login CSRF via /register/confirm/token endpoint. Proof of Concept 1: Register account with the same username as our victim, an email confirmation will take place 2: Retrieve token from email. 3: Send a link http://BOOKSTACKAPPURL/register/confirm/token to user. 4: When the user clicks...

4CVSS0.1AI score0.00621EPSS
Exploits1
Huntr
Huntr
added 2021/10/05 2:26 p.m.15 views

Use of a Broken or Risky Cryptographic Algorithm in anonaddy/anonaddy

Description MD5 and SHA-1 are popular cryptographic hash algorithms often used to verify the integrity of messages and other data. Recent advances in cryptanalysis have discovered weaknesses in both algorithms. Consequently, MD5 and SHA-1 should no longer be relied upon to verify the authenticity...

0.2AI score
Exploits0References2
Hacker One
Hacker One
added 2021/03/16 8:39 p.m.14 views

HackerOne: Used email confirmation link reveals the email address which is tied to it

Summary: If an attacker finds an used email confirmation link the token is in URL s/he will be able to see the email address which is tied to the confirmation link ID. The attack itself is pretty unlikely but the application should show the generic error message like The confirmation ID is invali...

0.5AI score
Exploits0
Hacker One
Hacker One
added 2021/03/09 11:21 a.m.76 views

Acronis: Account Confirmation bypass leads to acess some fucntionality

STEPS: 1. Go to the URL https://account.acronis.com//auth/signup 2. Create a Business Account 3. Intercept the request using burp suite 4. Now intercept the response of given HTTP REQUEST below 5. Change the field "confirmed":false to true 6. Even you can bypass Accept term condition by changing...

7AI score
Exploits0
WPVulnDB
WPVulnDB
added 2020/12/02 12:0 a.m.14 views

Profile Builder & Profile Builder Pro < 3.3.3 - Authenticated Blind SQL Injection

The orderby parameter of the wp-admin/users.php?page=unconfirmedemails=email=asc page, which is available when the "Email confirmation" setting of the plugin is activated default is off, is not properly sanitised and validated before being concatenated in a SQL statement, leading to an SQL...

8AI score
Exploits0References1Affected Software2
Hacker One
Hacker One
added 2020/06/28 1:9 p.m.95 views

Shopify: Email Confirmation Bypass in your-store.myshopify.com which leads to privilege escalation

Hello Shopify, I have found a bug by which I can verify any email on .myshopify.com, the bug is very strange but it works. Also I can take over the accounts but only the ones which do not have SSO. To reproduce please follow the steps exactly as I written otherwise you will not be able to reprodu...

7AI score
Exploits0
FreeBSD
FreeBSD
added 2020/03/11 12:0 a.m.21 views

Gitlab -- Vulnerability

Gitlab reports: Email Confirmation not Required on Sign-up...

1.9AI score
Exploits0References1
Hacker One
Hacker One
added 2020/02/14 10:33 p.m.122 views

Shopify: Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation

Able to Takeover Merchants Accounts Even They Have Already Setup SSO, After Bypassing the Email Confirmation Summary This report is based on the scenario that email confirmation has been bypassed already, like shown in 791775. What happened in 791775 was, I was too excited and didn't take a step...

7.1AI score
Exploits0
Hacker One
Hacker One
added 2020/02/14 5:37 p.m.46 views

Shopify: [Part II] Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation

Summary In 791775, I submitted a bug at Sunday 5pm Canada time, it was triaged two hours later, and I got the temp fix message at around 3am the next day in Canada time. Truly awesome, the next day I retested after the first fix, and found that I - Cannot receive the email confirmation in the ema...

6.9AI score
Exploits0
Hacker One
Hacker One
added 2020/02/09 11:25 p.m.66 views

Shopify: Email Confirmation Bypass in myshop.myshopify.com that Leads to Full Privilege Escalation to Any Shop Owner by Taking Advantage of the Shopify SSO

I told Pete I would take a look at Spotify, hi Pete. Summary It's possible to take over any store account through bypassing the email confirmation step in .myshopify.com. I found a way to confirm arbitrary emails, and after confirming arbitrary email in .myshopify.com, user is able to integrate...

7.2AI score
Exploits0
CNVD
CNVD
added 2019/11/12 12:0 a.m.3 views

Magento Security Bypass Vulnerability (CNVD-2019-40829)

Magento is an open source PHP e-commerce system from the U.S. company Magento. A security bypass vulnerability exists in Magento. An attacker can exploit this vulnerability to bypass the email confirmation mechanism via a GET request capturing the relevant account data obtained from the POST...

7.5CVSS6.9AI score0.0056EPSS
Exploits0References1
NVD
NVD
added 2019/11/05 11:15 p.m.21 views

CVE-2019-8112

A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation...

7.5CVSS7.5AI score0.0056EPSS
Exploits0References1
CVE
CVE
added 2019/11/05 10:19 p.m.50 views

CVE-2019-8112

CVE-2019-8112 affects Magento Open Source/Commerce: unauthenticated attackers can bypass email confirmation via a GET request, leveraging data from the POST response during new user creation. Affected versions are Magento 2.2 prior to 2.2.10 and Magento 2.3 prior to 2.3.3 or 2.3.2-p1. The documen...

7.5CVSS7.5AI score0.0056EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2019/11/05 10:19 p.m.21 views

CVE-2019-8112

A security bypass vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An unauthenticated user can bypass the email confirmation mechanism via GET request that captures relevant account data obtained from the POST response related to new user creation...

7.7AI score0.0056EPSS
Exploits0References1
Hacker One
Hacker One
added 2019/07/02 12:25 a.m.24 views

Shopify: Add store to new partner account without confirming email address.

Details When a someone signs up for a new account on partners.shopify.com they are asked to confirm their email address before they can do anything and by anything I mean add stores, invite members, use affiliate tools and so on. Apparently they can leverage an issue on partners.shopify.com to...

6.9AI score
Exploits0
Packet Storm
Packet Storm
added 2018/05/29 12:0 a.m.35 views

foilChat Sign Up Email PIN Confirmation Bypass

foilChat sign up email PIN confirmation bypass ============================================== https://sintonen.fi/advisories/foilchat-signup-email-pin-confirmation-bypass.txt Overview -------- foilChat https://www.foilchat.com/ allows anyone to register with any email address due to a...

7.4AI score
Exploits0
Rows per page
Query Builder