Lucene search
+L

95 matches found

OSV
OSV
added 2024/08/21 4:3 p.m.50 views

GO-2022-0964 SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo

SFTPGo vulnerable to recovery codes abuse in github.com/drakkan/sftpgo...

8.3CVSS8AI score0.00438EPSS
Exploits1References3
Hacker One
Hacker One
added 2022/12/14 6:4 p.m.20 views

Cloudflare Public Bug Bounty: 2FA BYPASS

A vulnerability in Cloudflare's Dashboard allowed for the retrieval of recovery codes without completing the authentication process. The issue was resolved by disallowing requests to the vulnerable API endpoint until users were fully authenticated...

7.3AI score
Exploits0
Github Security Blog
Github Security Blog
added 2022/09/16 9:5 p.m.37 views

SFTPGo vulnerable to recovery codes abuse

Impact SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes tha...

8.3CVSS8.1AI score0.00438EPSS
Exploits1References4Affected Software1
OSV
OSV
added 2022/09/16 9:5 p.m.19 views

GHSA-54QX-8P8W-XHG8 SFTPGo vulnerable to recovery codes abuse

Impact SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes tha...

8.3CVSS8.2AI score0.00438EPSS
Exploits1References4
Veracode
Veracode
added 2022/09/05 10:36 a.m.20 views

Authentication Bypass

github.com/drakkan/sftpgo is vulnerable to authentication bypass attacks. The library authorizes recovery codes to be generated before enabling two-factor authentication which allows an attacker who knows the user's password to potentially generate some recovery codes and then bypass two-factor...

8.3CVSS8.1AI score0.00438EPSS
Exploits1References3Affected Software1
NVD
NVD
added 2022/09/02 6:15 p.m.32 views

CVE-2022-36071

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS0.00438EPSS
Exploits1References2
Prion
Prion
added 2022/09/02 6:15 p.m.14 views

Authentication flaw

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

5.5CVSS8.2AI score0.00438EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2022/09/02 5:15 p.m.40 views

CVE-2022-36071 Recovery codes abuse in SFTPGo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS8.5AI score0.00438EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2022/09/02 5:15 p.m.7 views

CVE-2022-36071 Recovery codes abuse in SFTPGo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS8.7AI score0.00438EPSS
Exploits1References2
CVE
CVE
added 2022/09/02 5:15 p.m.77 views

CVE-2022-36071

Vulnerability context (CVE-2022-36071): SFTPGo WebAdmin/WebClient allowed generation of recovery codes before two-factor authentication (2FA) was enabled, enabling an attacker who knew a user’s password to potentially generate recovery codes and bypass 2FA later. This affected versions 2.2.0 thro...

8.3CVSS8.2AI score0.00438EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2022/09/02 5:15 p.m.28 views

CVE-2022-36071 Recovery codes abuse in SFTPGo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS8.3AI score0.00438EPSS
Exploits1References4
Positive Technologies
Positive Technologies
added 2022/09/02 12:0 a.m.6 views

PT-2022-23159 · Sftpgo · Sftpgo

Name of the Vulnerable Software and Affected Versions: SFTPGo versions 2.2.0 through 2.3.3 Description: SFTPGo is a configurable SFTP server with optional HTTP/S, FTP/S, and WebDAV support. It supports login using TOTP Time-based One Time Passwords as a secondary authentication factor and also...

8.3CVSS7.6AI score0.00438EPSS
Exploits1References9
OSV
OSV
added 2020/07/01 3:15 p.m.3 views

CVE-2020-5899

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

7.8CVSS7.2AI score0.00185EPSS
Exploits0References1
Microsoft CVE
Microsoft CVE
added 2018/01/09 8:0 a.m.36 views

ASP.NET Core Cross Site Request Forgery Vulnerabilty

A Cross Site Request Forgery CSRF vulnerability exists when a ASP.NET Core web application is created using vulnerable project templates. An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim's user account without his/her consent. As...

6.5CVSS3.2AI score0.03035EPSS
Exploits0
Cvelist
Cvelist
added 2017/08/30 9:0 a.m.17 views

CVE-2017-13774

Hikvision iVMS-4200 devices before v2.6.2.7 allow local users to generate password-recovery codes via unspecified vectors...

7.5AI score0.00464EPSS
Exploits0References1
Rows per page
Query Builder