Lucene search
K

62 matches found

OSV
OSV
added 2026/02/12 10:11 p.m.6 views

GHSA-R33W-FG8J-9C94 MagicLink: Insecure Deserialization of MagicLink Actions Leads to Remote Code Execution

Description MagicLink stores serialized action objects in the magiclinks.action database column and deserializes them without integrity validation or class allowlisting in src/MagicLink.php and src/Actions/ResponseAction.php. An attacker with the ability to manipulate database records e.g., via S...

8.8CVSS6.1AI score
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2022-34475

Malicious code in bioql PyPI...

8.8CVSS8.6AI score0.00769EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-4088

Malicious code in bioql PyPI...

6.5CVSS6.4AI score0.00301EPSS
Exploits1References3
OSV
OSV
added 2025/07/07 10:13 p.m.24 views

GHSA-36RG-GFQ2-3H56 Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes

Summary An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. Details In the matchesPattern function, url.startsWith can be deceived with ...

5.3CVSS5.7AI score0.00334EPSS
Exploits0References4
OSV
OSV
added 2025/07/07 5:15 p.m.5 views

CVE-2025-53535 Better Auth has an Open Redirect Vulnerability in originCheck Middleware Affecting Multiple Routes

Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This...

5.3CVSS7.1AI score0.00334EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2025/02/14 12:10 p.m.7 views

CVE-2025-25202

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

6.5CVSS6.9AI score0.00301EPSS
Exploits1References1
NVD
NVD
added 2025/02/11 7:15 p.m.32 views

CVE-2025-25202

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

6.5CVSS0.00301EPSS
Exploits1References2
Cvelist
Cvelist
added 2025/02/11 6:28 p.m.22 views

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

6.3CVSS0.00301EPSS
Exploits1References2
CVE
CVE
added 2025/02/11 6:28 p.m.2288 views

CVE-2025-25202

CVE-2025-25202 affects Ash Authentication (Elixir) in installations bootstrapped with the igniter installer from v4.1.0 up to but not including v4.4.9. The issue is that magic link tokens—as well as tokens revoked manually—could be verified as valid even after revocation, effectively making magic...

6.5CVSS6.6AI score0.00301EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichment
added 2025/02/11 6:28 p.m.7 views

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

6.3CVSS6.6AI score0.00301EPSS
Exploits1References2
OSV
OSV
added 2025/02/11 6:28 p.m.10 views

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

6.3CVSS6.8AI score0.00301EPSS
Exploits1References4
OSV
OSV
added 2025/02/11 6:12 p.m.8 views

GHSA-QRM9-F75W-HG4C Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Impact Applications which have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not us...

6.3CVSS6.5AI score0.00301EPSS
Exploits1References4
Github Security Blog
Github Security Blog
added 2025/02/11 6:12 p.m.12 views

Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Impact Applications which have been bootstrapped by the new igniter installer since AshAuthentication v4.1.0 and who have used the magic link strategy, password resets, confirmation, or are manually revoking tokens are affected by revoked tokens being allowed to verify as valid. If you did not us...

6.5CVSS6.5AI score0.00301EPSS
Exploits1References4Affected Software1
CNNVD
CNNVD
added 2025/02/11 12:0 a.m.6 views

Ash Authentication 安全漏洞

Ash Authentication is an Ash authentication framework open-sourced by Alembic. A security vulnerability exists in Ash Authentication versions prior to 4.1.0 through 4.4.9, which stems from the presence of a token validation flaw that can lead to reusable magic link tokens...

6.5CVSS6.6AI score0.00301EPSS
Exploits1References3
Huntr
Huntr
added 2023/09/24 1:24 p.m.39 views

No rate limit on sending magic link to sign-in

Description It was observed that rate limit is not being implemented on sending magic link , which allows an attacker to spam the victims mailbox. Affected URL : https://app.vrite.io/api/v1/auth.sendMagicLink?batch=1 Proof of Concept 1. Visit - https://app.vrite.io/auth 2. select option "continue...

4CVSS6.9AI score0.00544EPSS
Exploits1
vulnersOsv
vulnersOsv
added 2023/03/01 4:18 p.m.5 views

com.github.vzakharchenko:chillispot-radius-plugin (>=1.4.10 <=1.4.11), com.github.vzakharchenko:cisco-radius-plugin (>=1.4.10 <=1.4.11) +55 more potentially affected by CVE-2022-1438 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=21.0.0)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =0.3.0-20.0.1, =0.4.5-20.0.2, =1.3.2, =0.6, =0.2, =0.7 and more Source cves: CVE-2022-1438 Source advisory: OSV:GHSA-W354-2F3C-QVG9...

6.4CVSS6.1AI score0.0066EPSS
Exploits0
Talos
Talos
added 2022/12/21 12:0 a.m.44 views

Ghost unauthorized newsletter modification vulnerability

Talos Vulnerability Report TALOS-2022-1624 Ghost unauthorized newsletter modification vulnerability December 21, 2022 CVE Number CVE-2022-41654 SUMMARY An authentication bypass vulnerability exists in the newsletter subscription functionality of Ghost Foundation Ghost 5.9.4. A specially-crafted...

9.6CVSS5AI score0.18914EPSS
Exploits1
ATTACKERKB
ATTACKERKB
added 2022/07/19 3:15 p.m.3 views

CVE-2022-2192

Forced Browsing vulnerability in HYPR Server version 6.10 to 6.15.1 allows remote attackers with a valid one-time recovery token to elevate privileges via path tampering in the Magic Link page. This issue affects: HYPR Server versions later than 6.10; version 6.15.1 and prior versions...

8.8CVSS7.3AI score0.00769EPSS
Exploits0References2
CVE
CVE
added 2022/07/19 2:7 p.m.55 views

CVE-2022-2192

CVE-2022-2192 describes a forced browsing vulnerability in HYPR Server spanning versions 6.10 to 6.15.1. An attacker with a valid one-time recovery token can perform path tampering on the Magic Link page to elevate privileges, yielding a remote, network-attack surface with high impact to confiden...

8.8CVSS8.5AI score0.00769EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2022/07/19 12:0 a.m.4 views

HYPR Server 安全漏洞

HYPR and HYPR Server are both products of HYPR, Inc.HYPR is a security application that implements password-less security.HYPR Server is a server. A security vulnerability exists in HYPR Server versions 6.10 through 6.15.1, which stems from a forced browsing vulnerability that allows a remote...

8.8CVSS8.1AI score0.00769EPSS
Exploits0References2
Rows per page
Query Builder