130 matches found
PT-2022-21204 · Wwbn · Avideo
Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 11.6 WWBN AVideo dev master commit 3f7c0364 Description: An issue exists in the login functionality due to an improper password check. This allows an attacker with a user's password hash to directly log into the account,...
WWBN AVideo 授权问题漏洞
WWBN AVideo is a video platform builder written in PHP by the WWBN team. A security vulnerability exists in WWBN AVideo version 11.6, which stems from an incorrect password check in the login function...
Design/Logic Flaw
A unverified password change in Fortinet FortiADC version 6.2.0 through 6.2.3, 6.1.x, 6.0.x, 5.x.x allows an authenticated attacker to bypass the Old Password check in the password change form via a crafted HTTP request...
Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been...
CVE-2022-31802
In CODESYS Gateway Server V2 for versions prior to V2.3.9.38 only a part of the the specified password is been compared to the real CODESYS Gateway password. An attacker may perform authentication by specifying a small password that matches the corresponding part of the longer real CODESYS Gatewa...
Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been...
Kafka: Timing Attack Vulnerability for Apache Kafka Connect and Clients
Some components in Apache Kafka use Arrays.equals to validate a password or key, which is vulnerable to timing attacks that make brute force attacks for such credentials more likely to be successful. Users should upgrade to 2.8.1 or higher, or 3.0.0 or higher where this vulnerability has been...
CVE-2021-43298
The code that performs password matching when using 'Basic' HTTP authentication does not use a constant-time memcmp and has no rate-limiting. This means that an unauthenticated network attacker can brute-force the HTTP basic password, byte-by-byte, by recording the webserver's response time until...
Open Solutions For Education OpenSis-Classic SQL注入漏洞
openSIS is a free, open source student information system/school management software. A SQL injection vulnerability exists in openSIS version 8.0. The vulnerability stems from a lack of validation of input data for the $GET'usrid' and $GET'profid' parameters in PasswordCheck.php. An attacker can...
Citrix ADC - Error: "Invalid private key, or PEM pass phrase required for this private key" on FIPS device
When trying to export a PFX file from a certificate that has already been uploaded to the ADC, we get the error "Invalid private key, or PEM pass phrase required for this private key" , even after making sure the correct certificate and private key is selected, as well as entering the correct...
PT-2021-20357 · Etinet · Etinet Backbox E4.09
Name of the Vulnerable Software and Affected Versions: ETINET BACKBOX E4.09 version 22SEP2020 ETINET BACKBOX H4.09 version T0954V04^AAO Description: The issue arises from the mismanagement of password access control in ETINET BACKBOX. When a user logs in to the Backbox UI application using the Us...
GHSA-73XV-W5GP-FRXH Logic error in Legion of the Bouncy Castle BC Java
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different...
CVE-2021-26117
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error...
CVE-2021-26117
The optional ActiveMQ LDAP login module can be configured to use anonymous access to the LDAP server. In this case, for Apache ActiveMQ Artemis prior to version 2.16.0 and Apache ActiveMQ prior to versions 5.16.1 and 5.15.14, the anonymous context is used to verify a valid users password in error...
DEBIAN-CVE-2020-28052
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different...
Design/Logic Flaw
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different...
UBUNTU-CVE-2020-28052
An issue was discovered in Legion of the Bouncy Castle BC Java 1.65 and 1.66. The OpenBSDBCrypt.checkPassword utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different...
Bouncy Castle BC Security Breach
Bouncy Castle BC is a cryptographic library for C and Java applications from the Bouncy Castle organization. A security vulnerability exists in Bouncy Castle BC. The vulnerability stems from comparing incorrect data when checking passwords...
CVE-2020-29377
An issue was discovered on V-SOL V1600D V2.03.69 OLT devices. The string K0LTdi@gnos312$ is compared to the password provided by the the remote attacker. If it matches, access is provided...
GHSA-JJJR-3JCW-F8V6 Potential Observable Timing Discrepancy in Wagtail
Impact A potential timing attack exists on pages or documents that have been protected with a shared password through Wagtail's "Privacy" controls. This password check is performed through a character-by-character string comparison, and so an attacker who is able to measure the time taken by this...