What can we learn from the passwords used in brute-force attacks?

Brute force attacks are one of the most elementary cyber threats out there. Technically, anyone with a keyboard and some free time could launch one of them -- just try a bunch of different username and password combinations on the website of your choice until you get blocked. Nick Biasini and I...

Microsoft introduces passkeys for consumer accounts

Ten years ago, Microsoft envisioned a bold future: a world free of passwords. Every year, we celebrate World Password Day by updating you on our progress toward eliminating passwords for good. Today, we’re announcing passkey support for Microsoft consumer accounts, the next step toward our vision...

PT-2024-7900 · Okta · Okta Verify

Name of the Vulnerable Software and Affected Versions: Okta Verify versions 5.0.2 through 5.3.2 Description: The issue is related to the Okta Device Access feature in the Okta Verify agent for Windows, which provides access to the OktaDeviceAccessPipe. This allows attackers on a compromised devic...

Ray OS v2.6.3 - Command Injection Exploit

Exploit Title: Ray OS v2.6.3 - Command Injection RCEUnauthorized Description: The Ray Project dashboard contains a CPU profiling page, and the format parameter is not validated before being inserted into a system command executed in a shell, allowing for arbitrary command execution. If the system...

CVE-2024-29143

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Cozmoslabs, sareiodata Passwordless Login passwordless-login allows Stored XSS.This issue affects Passwordless Login: from n/a through 1.1.2...

CVE-2024-29143 WordPress Passwordless Login plugin <= 1.1.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Cozmoslabs, sareiodata Passwordless Login passwordless-login allows Stored XSS.This issue affects Passwordless Login: from n/a through 1.1.2...

CVE-2024-29143 WordPress Passwordless Login plugin <= 1.1.2 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in Cozmoslabs, sareiodata Passwordless Login passwordless-login allows Stored XSS.This issue affects Passwordless Login: from n/a through 1.1.2...

CVE-2024-29143

Passwordless Login (WordPress plugin)

WordPress Plugin Passwordless Login Cross-Site Scripting Vulnerability

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. WordPress is a blogging platform developed in the PHP language that supports personal blogs on PHP and MySQL servers.WordPress plugin is an application...

PT-2024-22763 · Cozmoslabs · Cozmoslabs Passwordless Login

Name of the Vulnerable Software and Affected Versions: Cozmoslabs Passwordless Login versions 1.1.2 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for stored cross-site scripting XSS. This means that an attacker can injec...

WordPress Passwordless Login Plugin <= 1.1.2 is vulnerable to Cross Site Scripting (XSS)

Software Passwordless Login Type Plugin Vulnerable versions = 1.1.2 Fixed in 1.1.3 OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2024-29143 Patch priority Low CVSS severity Low 6.5 Developer Claim ownership PSID 31d1f299fb2a Credits stealthcopter Required privilege...

Mobatek MobaXterm 11.1 u3860 (CVE-2019-7690)

The version of Mobatek MobaXterm installed on the remote host is 11.1. It is, therefore, affected by a vulnerability as referenced in the CVE-2019-7690 advisory. - In MobaTek MobaXterm Personal Edition v11.1 Build 3860, the SSH private key and its password can be retrieved from process memory for...

CVE-2022-44589

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor...

CVE-2022-44589 WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor...

CVE-2022-44589 WordPress miniOrange's Google Authenticator Plugin <= 5.6.1 is vulnerable to Sensitive Data Exposure

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in miniOrange miniOrange's Google Authenticator – WordPress Two Factor Authentication – 2FA , Two Factor, OTP SMS and Email | Passwordless login.This issue affects miniOrange's Google Authenticator – WordPress Two Factor...

CVE-2022-44589

CVE-2022-44589 affects miniOrange's Google Authenticator – WordPress Two Factor Authentication plugin, with exposure of sensitive information up to version 5.6.1. Affected versions are listed as n/a through 5.6.1. Multiple sources recommend upgrading to a version later than 5.6.1 (e.g., 5.6.2+). ...

Code injection

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicio...

CVE-2023-49097 ZITADEL vulnerable account takeover via malicious host header injection

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicio...

CVE-2023-49097 ZITADEL vulnerable account takeover via malicious host header injection

ZITADEL is an identity infrastructure system. ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicio...

ZITADEL Account Takeover via Malicious Host Header Injection

Impact ZITADEL uses the notification triggering requests Forwarded or X-Forwarded-Host header to build the button link sent in emails for confirming a password reset with the emailed code. If this header is overwritten and a user clicks the link to a malicious site in the email, the secret code c...