Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

93 matches found

Github Security Blog
Github Security Blogadded 2022/09/16 9:5 p.m.35 views

SFTPGo vulnerable to recovery codes abuse

Impact SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes tha...

8.3CVSS8.1AI score0.00422EPSS
Exploits1References4Affected Software1
OSV
OSVadded 2022/09/16 9:5 p.m.19 views

GHSA-54QX-8P8W-XHG8 SFTPGo vulnerable to recovery codes abuse

Impact SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a seconday authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged, SFTPGo also supports recovery codes. These are a set of one time use codes tha...

8.3CVSS8.2AI score0.00422EPSS
Exploits1References4
Veracode
Veracodeadded 2022/09/05 10:36 a.m.19 views

Authentication Bypass

github.com/drakkan/sftpgo is vulnerable to authentication bypass attacks. The library authorizes recovery codes to be generated before enabling two-factor authentication which allows an attacker who knows the user's password to potentially generate some recovery codes and then bypass two-factor...

8.3CVSS8.1AI score0.00422EPSS
Exploits1References3Affected Software1
NVD
NVDadded 2022/09/02 6:15 p.m.30 views

CVE-2022-36071

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS0.00422EPSS
Exploits1References2
Prion
Prionadded 2022/09/02 6:15 p.m.13 views

Authentication flaw

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

5.5CVSS8.2AI score0.00422EPSS
Exploits1References2Affected Software1
Vulnrichment
Vulnrichmentadded 2022/09/02 5:15 p.m.6 views

CVE-2022-36071 Recovery codes abuse in SFTPGo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS8.7AI score0.00422EPSS
Exploits1References2
CVE
CVEadded 2022/09/02 5:15 p.m.73 views

CVE-2022-36071

Vulnerability context (CVE-2022-36071): SFTPGo WebAdmin/WebClient allowed generation of recovery codes before two-factor authentication (2FA) was enabled, enabling an attacker who knew a user’s password to potentially generate recovery codes and bypass 2FA later. This affected versions 2.2.0 thro...

8.3CVSS8.2AI score0.00422EPSS
Exploits1References2Affected Software1
Cvelist
Cvelistadded 2022/09/02 5:15 p.m.36 views

CVE-2022-36071 Recovery codes abuse in SFTPGo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS8.5AI score0.00422EPSS
Exploits1References2
OSV
OSVadded 2022/09/02 5:15 p.m.25 views

CVE-2022-36071 Recovery codes abuse in SFTPGo

SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP Time-based One Time Passwords as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost, stolen or damaged,...

8.3CVSS8.3AI score0.00422EPSS
Exploits1References4
Positive Technologies
Positive Technologiesadded 2022/09/02 12:0 a.m.2 views

PT-2022-23159 · Sftpgo · Sftpgo

Name of the Vulnerable Software and Affected Versions: SFTPGo versions 2.2.0 through 2.3.3 Description: SFTPGo is a configurable SFTP server with optional HTTP/S, FTP/S, and WebDAV support. It supports login using TOTP Time-based One Time Passwords as a secondary authentication factor and also...

8.3CVSS7.6AI score0.00422EPSS
Exploits1References9
OSV
OSVadded 2020/07/01 3:15 p.m.2 views

CVE-2020-5899

In NGINX Controller 3.0.0-3.4.0, recovery code required to change a user's password is transmitted and stored in the database in plain text, which allows an attacker who can intercept the database connection or have read access to the database, to request a password reset using the email address ...

7.8CVSS7.2AI score0.00185EPSS
Exploits0References1
Microsoft CVE
Microsoft CVEadded 2018/01/09 8:0 a.m.35 views

ASP.NET Core Cross Site Request Forgery Vulnerabilty

A Cross Site Request Forgery CSRF vulnerability exists when a ASP.NET Core web application is created using vulnerable project templates. An attacker who successfully exploited this vulnerability could change the recovery codes associated with the victim's user account without his/her consent. As...

6.5CVSS3.2AI score0.03035EPSS
Exploits0
Cvelist
Cvelistadded 2017/08/30 9:0 a.m.13 views

CVE-2017-13774

Hikvision iVMS-4200 devices before v2.6.2.7 allow local users to generate password-recovery codes via unspecified vectors...

7.5AI score0.00464EPSS
Exploits0References1
Rows per page
Query Builder