95 matches found
GO-2022-0964 SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo
SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo...
Cloudflare Public Bug Bounty: 2FA BYPASS
A vulnerability in Cloudflare's Dashboard allowed for the retrieval of recovery codes without completing the authentication process. The issue was resolved by disallowing requests to the vulnerable API endpoint until users were fully authenticated...
SFTPGo vulnerable to recovery codes abuse
Impact SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes tha...
GHSA-54QX-8P8W-XHG8 SFTPGo vulnerable to recovery codes abuse
Impact SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes tha...
Authentication Bypass
github.com/drakkan/sftpgo is vulnerable to authentication bypass attacks. The library authorizes recovery codes to be generated before enabling two-factor authentication which allows an attacker who knows the user's password to potentially generate some recovery codes and then bypass two-factor...
CVE-2022-36071
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...
Authentication flaw
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...
CVE-2022-36071 Recovery codes abuse in SFTPGo
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...
CVE-2022-36071 Recovery codes abuse in SFTPGo
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...
CVE-2022-36071
Vulnerability context (CVE-2022-36071): SFTPGo WebAdmin/WebClient allowed generation of recovery codes before two-factor authentication (2FA) was enabled, enabling an attacker who knew a user’s password to potentially generate recovery codes and bypass 2FA later. This affected versions 2.2.0 thro...
CVE-2022-36071 Recovery codes abuse in SFTPGo
SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...
PT-2022-23159 · Sftpgo · Sftpgo
Name of the Vulnerable Software and Affected Versions: SFTPGo versions 2.2.0 through 2.3.3 Description: SFTPGo is a configurable SFTP server with optional HTTP/S, FTP/S, and WebDAV support. It supports login using TOTP Time-based One Time Passwords as a secondary authentication factor and also...
CVE-2020-5899
In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...
ASP.NET Core Cross Site Request Forgery Vulnerabilty
A Cross Site Request Forgery CSRF vulnerability exists when a ASP.NET Core web application is created using vulnerable project templates. An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim's user account without his/her consent. As...
CVE-2017-13774
Hikvision iVMS-4200 devices before v2.6.2.7 allow local users to generate password-recovery codes via unspecified vectors...