45 matches found
PT-2024-40248 · Unknown · Silverstripe
Name of the Vulnerable Software and Affected Versions: Silverstripe affected versions not specified Description: The issue concerns a user ID enumeration vulnerability in brute force error messages. Specifically, the system previously handled login attempts for non-existent and existing users...
CVE-2023-2732
The MStore API plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 3.9.2. This is due to insufficient verification on the user being supplied during the add listing REST API request through the plugin. This makes it possible for unauthenticated attackers ...
SUSE CVE-2020-27780
A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate...
CVE-2021-3754
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password...
Ping Identity PingFederate授权问题漏洞
Ping Identity PingFederate is a flagship software-based federation server in the United States. for identity management. Ping Identity PingFederate has a security vulnerability that can be exploited by an existing user to reset the password of another existing user when the password reset mechani...
Default credentials
When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password...
CVE-2021-43145
With certain LDAP configurations, Zammad 5.0.1 was found to be vulnerable to unauthorized access with existing user accounts...
GHSA-83X4-9CWR-5487 Improper Authorization in Keycloak
A incorrect authorization flaw was found in Keycloak 12.0.0, the flaw allows an attacker with any existing user account to create new default user accounts via the administrative REST API even where new user registration is disabled...
Keycloak: Incorrect authorization allows unpriviledged users to create other users
A flaw was found in Keycloak version from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled...
Elabftw 授权问题漏洞
eLabFTW is an open source platform for hosting experimental data. The platform runs on Linux systems and supports storage of multiple objects. eLabFTW is vulnerable to an authorization issue that stems from a lack of authentication measures or insufficient authentication strength in the network...
Cross-site Scripting (XSS) - Stored in ampache/ampache
Description ampache has a stored XSS in the View Existing User , an attacker could exploit with the Website attribute to steal the other users' cookie Proof of Concept 1 Visit http://ampache//index.phppreferences.php?tab=account set the Website attribut toe: foo" onmouseover=alertdocument.cookie ...
CVE-2021-27734
Hirschmann HiOS 07.1.01, 07.1.02, and 08.1.00 through 08.5.xx and HiSecOS 03.3.00 through 03.5.01 allow remote attackers to change the credentials of existing users...
ALPINE-CVE-2020-27780
A flaw was found in Linux-Pam in versions prior to 1.5.1 in the way it handle empty passwords for non-existing users. When the user doesn't exist PAM try to authenticate with root and in the case of an empty password it successfully authenticate...
openSUSE Security Update : gdm (openSUSE-2020-1961)
This update for gdm fixes the following issues : - Exit with failure if loading existing users fails bsc1178150 CVE-2020-16125. This update was imported from the SUSE:SLE-15-SP2:Update update project. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were...
The vulnerability of the sudoer account in the Runas ALL system administration software allows a hacker to impersonate an existing user.
The vulnerability of the sudoer account in the Runas ALL system administration program is related to improper access control. Exploiting this vulnerability allows a malicious actor to impersonate an existing user...
USN-3374-1 rabbitmq-server vulnerability
It was discovered that RabbitMQ incorrectly handled MQTT MQ Telemetry Transport authentication. A remote attacker could use this issue to authenticate successfully with an existing username by omitting the password...
F5 Networks BIG-IP : OpenSSH vulnerability (K14845276)
When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hard-coded in the SSHD source code. An attacker can measure timing information to determine if a user exists when verifying a password. CVE-2016-6210 C Tenable Network Security, Inc. The descriptive tex...
ntop-ng 2.5.160805 Username Enumeration
Exploit title: ntopng user enumeration Author: Dolev Farhi Contact: dolevf at protonmail.com Date: 04-08-2016 Vendor homepage: ntop.org Software version: v.2.5.160805 !/usr/env/python import os import sys import urllib import urllib2 import cookielib server = 'ip.add.re.ss' username = 'ntopng-use...
Ubuntu 14.04 LTS / 16.04 LTS : OpenSSH vulnerabilities (USN-3061-1)
The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3061-1 advisory. Eddie Harari discovered that OpenSSH incorrectly handled password hashing when authenticating non-existing users. A remote attacker could...
Tivoli Provisioning Manager Express for Software Distribution Multiple SQL Injections
The remote web application fails to properly sanitize user-supplied input to the following servlets : - Printer.getPrinterAgentKey in the SoapServlet servlet - User.updateUserValue in the register.do servlet - User.isExistingUser in the logon.do servlet - Asset.getHWKey in the CallHomeExec servle...