php: password_verify can erroneously return true, opening ATO risk

A null byte interaction error vulnerability was found in PHP. If a password stored with passwordhash starts with a null byte \x00, testing a blank string as the password via passwordverify will incorrectly return true. If a user can create a password with a leading null byte unlikely, but...

Dahua Technology Co., Ltd Digital Video Recorders and IP Cameras Use of Password Hash Instead of Password For Authentication (CVE-2017-7927)

A Use of Password Hash Instead of Password for Authentication issue was discovered in Dahua DH-IPC-HDBW23A0RN-ZS, DH-IPC-HDBW13A0SN, DH- IPC-HDW1XXX, DH-IPC-HDW2XXX, DH-IPC-HDW4XXX, DH-IPC-HFW1XXX, DH-IPC- HFW2XXX, DH-IPC-HFW4XXX, DH-SD6CXX, DH-NVR1XXX, DH-HCVR4XXX, DH- HCVR5XXX,...

U.S. Dept Of Defense: Unauthenticated File Read Adobe ColdFusion

A vulnerability was discovered in Adobe ColdFusion that led to an Unauthenticated Arbitrary File Read. The vulnerability was caused by the deserialization of untrusted data. A password hash was disclosed as a result of the vulnerability...

Schneider Electric Modicon M340, MC80, and Momentum Unity M1E Improper Enforcement of Message Integrity During Transmission in a Communication Channel (CVE-2024-8933)

A vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of confidentiality and integrity of controllers. To be successful, the attacker needs to inject themselves inside the logical network while a valid user uploads or downloads a project...

Medium: cloud-init

Issue Overview: Sensitive data could be exposed in logs of cloud-init before version 23.1.2. An attacker could use this information to find hashed passwords and possibly escalate their privilege. CVE-2023-1786 Affected Packages: cloud-init Note: This advisory is applicable to Amazon Linux 2 AL2...

CVE-2024-8933

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of confidentiality and integrity of controllers. To be successful, the attacker needs to...

CVE-2024-8933

CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel vulnerability exists that could cause retrieval of password hash that could lead to denial of service and loss of confidentiality and integrity of controllers. To be successful, the attacker needs to...

Fortinet FortiWeb Exposure of password hashes to read-only admin (FG-IR-24-180)

The version of FortiWeb installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the FG-IR-24-180 advisory. - An exposure of sensitive system information to an unauthorized control sphere vulnerability CWE-497 in FortiWeb version 7.6....

CVE-2019-20457

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD...

PT-2024-10733 · Brother · Brother Mfc-J491Dw

Name of the Vulnerable Software and Affected Versions: Brother MFC-J491DW version C1806180757 Description: An issue was discovered where the printer's web-interface password hash can be retrieved without authentication. This occurs because the response header of any failed login attempt returns a...

CVE-2019-20457

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD...

CVE-2019-20457

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD...

CVE-2019-20457

The CVE-2019-20457 entry concerns Brother MFC-J491DW (firmware C1806180757). Affected component is the web interface where authentication can be bypassed to reveal the password hash. The underlying issue is that the response header after failed login attempts returns an incomplete authorization c...

OESA-2024-2308 python-jupyter-server security update

The backend for Jupyter web applications Security Fixes: The Jupyter Server provides the backend for Jupyter web applications. Jupyter Server on Windows has a vulnerability that lets unauthenticated attackers leak the NTLMv2 password hash of the Windows user running the Jupyter server. An attacke...

ManageEngine ADManager 7183 Password Hash Disclosure

============================================================================================================================================= | Title : ManageEngine ADManager 7183 Password Hash Disclosure Vulnerability | | Author : indoushka | | Tested on : windows 10 FrPro / browser : Mozilla...

389-ds-base: Malformed userPassword hash may cause Denial of Service

A denial of service vulnerability was found in the 389-ds-base LDAP server. This issue may allow an authenticated user to cause a server denial of service while attempting to log in with a user with a malformed hash in their password...

PLANET switch devices 安全漏洞

PLANET switch devices are a series of switch devices from PLANET Corporation in China. A security vulnerability exists in PLANET switch devices that stems from the use of an insecure hash function that is not salted to hash user passwords. A remote attacker with administrator privileges could rea...

CVE-2024-47182 Dozzle uses unsafe hash for passwords

Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3...

CVE-2024-47182 Dozzle uses unsafe hash for passwords

Dozzle is a realtime log viewer for docker containers. Before version 8.5.3, the app uses sha-256 as the hash for passwords, which leaves users susceptible to rainbow table attacks. The app switches to bcrypt, a more appropriate hash for passwords, in version 8.5.3...

CVE-2024-22893

OpenSlides 4.0.15 verifies passwords by comparing password hashes using a function with content-dependent runtime. This can allow attackers to obtain information about the password hash using a timing attack...