PT-2023-19459 · Konga · Konga

Name of the Vulnerable Software and Affected Versions: Konga version 2.8.3 Description: A problem was found in the Login API component, leading to insufficiently random values. The complexity of an attack is rather high, and the exploitability is difficult. The issue has been disclosed to the...

PT-2023-10265 · Unknown · Opencyclecompass Server-Php

Name of the Vulnerable Software and Affected Versions: OpenCycleCompass server-php affected versions not specified Description: A critical issue was found in OpenCycleCompass server-php, where the manipulation of the user argument leads to sql injection. This can be exploited remotely. The issue...

PT-2022-10521 · Feehicms · Feehicms

Name of the Vulnerable Software and Affected Versions: Feehi CMS versions 2.1.1 and earlier Description: The issue allows attackers to run arbitrary code via the user name field of the "/login" API endpoint. This is a Cross Site Scripting XSS issue, which means attackers can inject malicious...

Bypass IP detection to brute-force password in ikus060/rdiffweb

Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /login/ HTTP/1.1 Host:...

Bypass IP detection to brute-force password

Description In login API, by default, the IP address will be blocked when the user tries to login incorrectly more than 5 times but we can bypass this mechanism by abuse X-Forwarded-For header to bypass IP dectection and perform password brute-force. Proof of Concept POST /demo/api/userlogin...

CVE-2021-38376

OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call...

Session fixation

OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call...

CVE-2021-38376

OX App Suite through 7.10.5 has Incorrect Access Control for retrieval of session information via the rampup action of the login API call...

PT-2021-9562 · Wavlink · Wavlink Wn579X3 +1

Name of the Vulnerable Software and Affected Versions: Wavlink WN575A4 and WN579X3 devices through 2020-05-15 Description: The issue allows unauthenticated remote users to inject commands via the key parameter in a "login request" API endpoint. Recommendations: For Wavlink WN575A4 and WN579X3...

Palo Alto Software: weak protection against brute-forcing on login api leads to account takeover

Summary: Weak protection against brute-forcing on login API: https://api.outpost.co/api/v1/login leads to account takeover on https://www.teamoutpost.com/ Steps To Reproduce: Sign in on https://www.teamoutpost.com/ F673002 redirect to https://app.outpost.co/sign-in to login F673012 test any login...

CVE-2017-8058

Acceptance of invalid/self-signed TLS certificates in Atlassian HipChat before 3.16.2 for iOS allows a man-in-the-middle and/or physically proximate attacker to silently intercept information sent during the login API call...

CVE-2017-8058

Acceptance of invalid/self-signed TLS certificates in Atlassian HipChat before 3.16.2 for iOS allows a man-in-the-middle and/or physically proximate attacker to silently intercept information sent during the login API call...

CVE-2016-5681

Stack-based buffer overflow in dws/api/Login on D-Link DIR-850L B1 2.07 before 2.07WWB05, DIR-817 Ax, DIR-818LW Bx before 2.05b03beta03, DIR-822 C1 3.01 before 3.01WWb02, DIR-823 A1 1.00 before 1.00WWb05, DIR-895L A1 1.11 before 1.11WWb04, DIR-890L A1 1.09 before 1.09b14, DIR-885L A1 1.11 before...