Lucene search
K

1221 matches found

Positive Technologies
Positive Technologies
added 2026/04/01 12:0 a.m.5 views

PT-2026-29542

Improper access control in the multi-factor authentication MFA management API in Devolutions Server allows an authenticated attacker to delete their own configured MFA factors and reduce account protection to password-only authentication via crafted HTTP requests. This issue affects Server: from...

5.9AI score0.00254EPSS
Exploits0References2
Joomla! Vulnerable Extensions List
Joomla! Vulnerable Extensions List
added 2026/04/01 12:0 a.m.13 views

[20260512] - Core - MFA Authentication Bypass

Incorrectly resetted session states to a vector that allows to bypass 2FA checks...

8.2CVSS5.8AI score0.00211EPSS
Exploits0Affected Software1
Joomla! Vulnerable Extensions List
Joomla! Vulnerable Extensions List
added 2026/04/01 12:0 a.m.12 views

[20260511] - Core - MFA Authentication Bypass

Insufficient state checks lead to a vector that allows to bypass 2FA checks...

8.2CVSS5.8AI score0.00297EPSS
Exploits0Affected Software1
Cvelist
Cvelist
added 2026/03/31 2:25 p.m.20 views

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

2.1CVSS0.00311EPSS
Exploits0References5
Vulnrichment
Vulnrichment
added 2026/03/31 2:25 p.m.2 views

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

2.1CVSS5.8AI score0.00311EPSS
Exploits0References5
OSV
OSV
added 2026/03/31 2:25 p.m.4 views

CVE-2026-34224 Parse Server: MFA single-use token bypass via concurrent authData login requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.64 and 9.7.0-alpha.8, an attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple...

2.1CVSS5.8AI score0.00311EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/03/29 3:23 p.m.5 views

Parse Server has an MFA single-use token bypass via concurrent authData login requests

Impact An attacker who possesses a valid authentication provider token and a single MFA recovery code or SMS one-time password can create multiple authenticated sessions by sending concurrent login requests via the authData login endpoint. This defeats the single-use guarantee of MFA recovery cod...

4.4CVSS5.9AI score0.00311EPSS
Exploits0References7Affected Software1
RedhatCVE
RedhatCVE
added 2026/03/26 3:12 p.m.5 views

CVE-2026-25937

GLPI is a free Asset and IT management software package. Starting in version 11.0.0 and prior to version 11.0.6, a malicious actor with knowledge of a user's credentials can bypass MFA and steal their account. Version 11.0.6 fixes the issue...

6.5CVSS5.8AI score0.00292EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.5 views

CVE-2026-29108

SuiteCRM is an open-source, enterprise-ready Customer Relationship Management CRM software application. Prior to versions 8.9.3, an authenticated API endpoint allows any user to retrieve detailed information about any other user, including their password hash, username, and MFA configuration. As...

6.5CVSS5.8AI score0.00306EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:7 p.m.4 views

CVE-2026-31798

JumpServer is an open source bastion host and an operation and maintenance security audit system. Prior to v4.10.16-lts, JumpServer improperly validates certificates in the Custom SMS API Client. When JumpServer sends MFA/OTP codes via Custom SMS API, an attacker can intercept the request and...

5CVSS5.9AI score0.00097EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 3:2 p.m.4 views

CVE-2026-32730

ApostropheCMS is an open-source content management framework. Prior to version 4.28.0, the bearer token authentication middleware in @apostrophecms/express/index.js lines 386-389 contains an incorrect MongoDB query that allows incomplete login tokens — where the password was verified but TOTP/MFA...

8.1CVSS5.7AI score0.00362EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.3 views

CVE-2026-31875

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.6.0-alpha.7 and 8.6.33, when multi-factor authentication MFA via TOTP is enabled for a user account, Parse Server generates two single-use recovery codes. These codes are intended as...

8.2CVSS5.9AI score0.0044EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:58 p.m.4 views

CVE-2026-4208

The extension fails to properly reset the generated MFA code after successful authentication. This leads to a possible MFA bypass for future login attempts by providing an empty string as MFA code to the extensions MFA provider...

7.7CVSS5.8AI score0.00256EPSS
Exploits0References1
EUVD
EUVD
added 2026/03/24 7:48 p.m.3 views

EUVD-2026-14978

Parse Server: MFA recovery code single-use bypass via concurrent requests...

2.1CVSS5.9AI score0.00175EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/24 7:48 p.m.12 views

Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...

2.7CVSS5.9AI score0.00175EPSS
Exploits0References7Affected Software1
OSV
OSV
added 2026/03/24 7:48 p.m.4 views

GHSA-2299-GHJR-6VJP Parse Server: MFA recovery code single-use bypass via concurrent requests

Impact An attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending concurrent login requests. This defeats the single-use design of recovery codes. The attack requires the user's password, a valid recovery code, and...

2.1CVSS5.9AI score0.00175EPSS
Exploits0References7
Vulnrichment
Vulnrichment
added 2026/03/24 6:28 p.m.3 views

CVE-2026-33624 Parse Server: MFA recovery code single-use bypass via concurrent requests

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who obtains a user's password and a single MFA recovery code can reuse that recovery code an unlimited number of times by sending...

2.1CVSS5.8AI score0.00175EPSS
Exploits0References5
CVE
CVE
added 2026/03/24 6:28 p.m.13 views

CVE-2026-33624

CVE-2026-33624 affects Parse Server. Prior to versions 8.6.60 and 9.6.0-alpha.54, an attacker who knows a user’s password and a valid MFA recovery code can reuse that code indefinitely by sending concurrent login requests, defeating the single‑use design of recovery codes. Impacted component: MFA...

2.7CVSS5.8AI score0.00175EPSS
Exploits0References5Affected Software1
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.7 views

Parse Server 安全漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. There were security vulnerabilities in versions of Parse Server prior to 8.6.60 and 9.6.0-alpha.54. These vulnerabilities stemmed from the ability for MFA recovery...

2.7CVSS5.9AI score0.00175EPSS
Exploits0References5
CNNVD
CNNVD
added 2026/03/24 12:0 a.m.6 views

Parse Server 信息泄露漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 8.6.61 and 9.6.0-alpha.55 contain a vulnerability known as information leakage. This vulnerability stems from the GET /users/me...

7.1CVSS5.8AI score0.00378EPSS
Exploits0References5
Rows per page
Query Builder