136 matches found
CVE-2025-22385
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested...
CVE-2022-1631
Users Account Pre-Takeover or Users Account Takeover. in GitHub repository microweber/microweber prior to 1.2.15. Victim Account Take Over. Since, there is no email confirmation, an attacker can easily create an account in the application using the Victim’s Email. This allows an attacker to gain...
CVE-2020-13342
An issue has been discovered in GitLab affecting versions prior to 13.2.10, 13.3.7 and 13.4.2: Lack of Rate Limiting at Re-Sending Confirmation Email...
CVE-2025-32782 Ash Authentication email link auto-click account confirmation vulnerability
Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools e.g., Outlook, virus scanners, and email previewers may automatically follow...
PT-2025-16540 · Unknown · Ashauthentication
Name of the Vulnerable Software and Affected Versions: Ash Authentication versions prior to 4.7.0 Description: The confirmation flow for account creation in Ash Authentication uses a GET request triggered by clicking a link sent via email. Some email clients and security tools may automatically...
Moodle < 4.1.15 Multiple Vulnerabilities
According to its self-reported version, the Moodle install hosted on the remote host is 4.1.x prior to 4.1.15, 4.3.x prior to 4.3.9, or 4.4.x prior to 4.4.5. It is, therefore, affected by multiple vulnerabilities. - A potential denial of service risk due to guest sessions' longer timeout period. ...
Moodle 4.4.x < 4.4.5 Multiple Vulnerabilities
According to its self-reported version, the Moodle install hosted on the remote host is 4.1.x prior to 4.1.15, 4.3.x prior to 4.3.9, or 4.4.x prior to 4.4.5. It is, therefore, affected by multiple vulnerabilities. - A potential denial of service risk due to guest sessions' longer timeout period. ...
GHSA-R385-C5FC-X56C CouchAuth has a Server-Side Template Injection vulnerability in its email functionality
A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...
CVE-2024-57177
A host header injection vulnerability exists in the NPM package of perfood/couch-auth = 0.21.2. By sending a specially crafted host header in the email change confirmation request, it is possible to trigger a SSTI which can be leveraged to run limited commands or leak server-side information...
CVE-2025-22385
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested...
CVE-2025-22385
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested...
CVE-2025-22385
Optimizely Configured Commerce before 5.2.2408 contains an issue where the Commerce B2B application does not require email confirmation for newly created accounts, enabling mass account creation and potential impacts to database storage (and non-requested storefront accounts). Affected version ra...
Optimizely Configured Commerce 安全漏洞
Optimizely Configured Commerce is a portfolio commerce platform from Optimizely, Inc. A security vulnerability exists in Optimizely Configured Commerce versions prior to 5.2.2408, which stems from an email confirmation not being required for newly created accounts...
CVE-2025-22385
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested...
PT-2025-4481 · Optimizely · Optimizely Configured Commerce
Name of the Vulnerable Software and Affected Versions: Optimizely Configured Commerce versions prior to 5.2.2408 Description: An issue was discovered in Optimizely Configured Commerce where the Commerce B2B application does not require email confirmation for newly created accounts. This allows th...
CVE-2025-22385
An issue was discovered in Optimizely Configured Commerce before 5.2.2408. For newly created accounts, the Commerce B2B application does not require email confirmation. This medium-severity issue allows the mass creation of accounts. This could affect database storage; also, non-requested...
CVE-2024-53860 Potential Abuse for Sending Arbitrary Emails in sp-php-email-handler
sp-php-email-handler is a PHP package for handling contact form submissions. Messages sent using this script are vulnerable to abuse, as the script allows anybody to specify arbitrary email recipients and include user-provided content in confirmation emails. This could enable malicious actors to...
Weak Entropy In Token Generation
friendsofsymfony/user-bundle is vulnerable to Weak Entropy in Token Generation. The vulnerability is due to the imprecise nature of the baseconvert function used in FOSUserBundle, which allows attackers to exploit the weakened randomness of tokens generated for email confirmation and password...
FOSUserBundle Entropy is lost in the TokenGenerator
Description Because of the usage of baseconvert which looses precision for large inputs, the entropy of tokens generated by FOSUserBundle for the email confirmation and password resetting is lost. This makes these tokens much less random than they are expected to be, and so not cryptographically...
HackerOne: Reset the 2FA of the user which can lead to Account Takeover
Vulnerability description not provided...