16 matches found
EUVD-2026-38024
Authentication Bypass by Capture-replay vulnerability in Apache APISIX. Attacker can benefit from certain configurations in hmac-auth to re-use a token forever, bypassing expiry. This issue affects Apache APISIX: from 3.11.0 through 3.16.0. Users are recommended to upgrade to version 3.17.0, whic...
CVE-2026-33359
In Meari IoT Cloud alert image storage on Alibaba OSS latest observed; storage service version not disclosed, motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows...
PT-2026-39642
In Meari IoT Cloud alert image storage on Alibaba OSS latest observed; storage service version not disclosed, motion snapshots are retrievable without authentication, signed URLs, or expiry enforcement. URLs function as direct object references and remain valid beyond expected operational windows...
GHSA-H5FQ-653G-GXRM ots has a negative expire override that can bypass its secret retention policy
Summary The /api/create endpoint accepted negative expire query values. For the memory storage backend, negative values were passed to secret creation as a negative duration and treated as no expiry, allowing callers to create secrets that persisted longer than intended. Impact Unauthenticated...
Spring Security 安全漏洞
Spring Security is a security framework developed by Spring OpenSource that includes authentication and authorization features. There are security vulnerabilities in versions of Spring Security 5.7.22 and earlier, 5.8.24 and earlier, 6.3.15 and earlier, 6.5.9 and earlier, and 7.0.4 and earlier...
CVE-2026-33527
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.57 and 9.6.0-alpha.48, an authenticated user can overwrite server-generated session fields such as expiresAt and createdWith when updating their own session via the REST...
PT-2026-27481
Wallos is an open-source, self-hostable personal subscription tracker. Prior to version 4.7.2, password reset tokens in Wallos never expire. The password resets table includes a created at timestamp column, but the token validation logic never checks it. A password reset token remains valid...
CVE-2025-66432
In Oxide control plane 15 through 17 before 17.1, API tokens can be renewed past their expiration date...
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...
CVE-2025-8855 2FA Expiry Bypass in Optimus Software's Brokerage Automation
Authorization Bypass Through User-Controlled Key, Weak Password Recovery Mechanism for Forgotten Password, Authentication Bypass by Assumed-Immutable Data vulnerability in Optimus Software Brokerage Automation allows Exploiting Trust in Client, Authentication Bypass, Manipulate Registry...
PT-2024-7968 · Eclipse · Eclipse Dataspace Components
Name of the Vulnerable Software and Affected Versions: Eclipse Dataspace Components versions 0.5.0 through 0.9.0 Description: The issue is related to the ConsumerPullTransferTokenValidationApiController component, which has inadequate authentication procedures. This allows a remote attacker to...
SAMSUNG Mobile devices Authorization Issues Vulnerability
SAMSUNG Mobile devices are a range of Samsung mobile devices, including cell phones, tablets, etc., from the South Korean company Samsung SAMSUNG. An authorization issue vulnerability exists in SAMSUNG Mobile devices prior to version 1.8.17, which stems from an improper authentication issue in...
Operation on a Resource after Expiration or Release
Overview Affected versions of this package are vulnerable to Operation on a Resource after Expiration or Release due to the password reset functionality. An attacker can accept an invitation for an unlimited amount of time by exploiting the lack of validation for the pending invitation's expiry...
PT-2022-23196 · Typo3 · Typo3
Name of the Vulnerable Software and Affected Versions: TYPO3 versions prior to 10.4.32 TYPO3 versions prior to 11.5.16 Description: The expiration time of a password reset link for TYPO3 backend users has never been evaluated, allowing a password reset link to be used even after the default expir...
CVE-2020-15074
OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp...
CVE-2020-15074
OpenVPN Access Server older than version 2.8.4 and version 2.9.5 generates new user authentication tokens instead of reusing exiting tokens on reconnect making it possible to circumvent the initial token expiry timestamp...