490 matches found
CVE-2025-64101
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...
EUVD-2025-36698
ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection...
GHSA-MWMH-7PX9-4C23 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Impact A potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user. If an...
CVE-2025-64101
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
Open Redirect
Overview Affected versions of this package are vulnerable to Open Redirect via manipulation of the Forwarded or X-Forwarded-Host headers used to construct password reset confirmation links. An attacker can gain unauthorized access to user accounts by tricking users into clicking a password reset...
CVE-2025-64101 ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...
Think passwordless is too complicated? Let's clear that up
By Janet Ho, Cisco Duo Why passwords are still a problem We've relied on passwords for years to protect our online accounts, but they've also become one of the easiest ways attackers get in. Many people reuse or simplify passwords, or even write them down because it's hard to remember so many. Th...
WordPress OwnID Passwordless Login plugin authentication bypass vulnerability
WordPress OwnID Passwordless Login plugin is a WordPress plugin for passwordless login function, by sending a one-time authorization code to the user's email or cell phone to complete the verification. An authentication bypass vulnerability exists in the WordPress OwnID Passwordless Login plugin,...
CVE-2025-10294
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownidsharedsecret value is empty prior to authenticating a user via JWT. This makes it possible for...
CVE-2025-10294 OwnID Passwordless Login <= 1.3.4 - Authentication Bypass
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownidsharedsecret value is empty prior to authenticating a user via JWT. This makes it possible for...
CVE-2025-10294 OwnID Passwordless Login <= 1.3.4 - Authentication Bypass
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownidsharedsecret value is empty prior to authenticating a user via JWT. This makes it possible for...
CVE-2025-10294
The CVE-2025-10294 entry concerns the WordPress OwnID Passwordless Login plugin. Affected versions are all up to 1.3.4, with authentication bypass caused by not properly checking if the ownid_shared_secret is empty before authenticating via JWT. This allows unauthenticated attackers to log in as ...
WordPress WPBifröst – Instant Passwordless Temporary Login Links plugin <= 1.0.7 - Missing Authorization to Authenticated (Subscriber+) Privilege Escalation vulnerability
Missing Authorization to Authenticated Subscriber+ Privilege Escalation vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin WPBifröst – Instant Passwordless Temporary Login Links versions = 1.0.7...
WordPress OwnID Passwordless Login plugin <= 1.3.4 - Authentication Bypass vulnerability
Authentication Bypass vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin OwnID Passwordless Login versions = 1.3.4...
WordPress plugin OwnID Passwordless Login 安全漏洞
WordPress OwnID Passwordless Login plugin is a WordPress plugin for passwordless login function, by sending a one-time authorization code to the user's email or cell phone to complete the verification. An authentication bypass vulnerability exists in the WordPress OwnID Passwordless Login plugin,...
EUVD-2020-30290
Malware in sbrugna...
EUVD-2019-17222
Malware in sbrugna...